EP3537743A1 - Terminal device, core network node, base station, security gateway, device, method, program, and recording medium - Google Patents
Terminal device, core network node, base station, security gateway, device, method, program, and recording medium Download PDFInfo
- Publication number
- EP3537743A1 EP3537743A1 EP17866905.7A EP17866905A EP3537743A1 EP 3537743 A1 EP3537743 A1 EP 3537743A1 EP 17866905 A EP17866905 A EP 17866905A EP 3537743 A1 EP3537743 A1 EP 3537743A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- scheme
- terminal apparatus
- information indicating
- information
- base station
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
- H04W12/033—Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/30—Security of mobile devices; Security of mobile applications
- H04W12/37—Managing security policies for mobile devices or for controlling mobile applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W72/00—Local resource management
- H04W72/04—Wireless resource allocation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/22—Processing or transfer of terminal data, e.g. status or physical capabilities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
- H04W84/12—WLAN [Wireless Local Area Networks]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W88/00—Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
- H04W88/02—Terminal devices
- H04W88/06—Terminal devices adapted for operation in multiple networks or having at least two operational modes, e.g. multi-mode terminals
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
Definitions
- the present disclosure relates to a terminal apparatus, a core network node, a base station, a security gateway, an apparatus, a method, a program and a recording medium.
- LWIP LTE/WLAN Radio Level Integration with IPsec Tunnel
- LWIP Internet Protocol
- UE user equipment
- LWIP-SeGW LWIP Security Gateway
- NPL 1 discloses that Pre-Shared Key (PSK) is used for mutual authentication in setting of an IPsec tunnel between a UE and a LWIP-SeGW.
- PTL 1 discloses that a security gateway communicates with a terminal apparatus via a WLAN.
- NPL 1 3GPP TS 33.401 V13.3.0 (2016-06) "3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3GPP System Architecture Evolution (SAE); Security architecture (Release 13) "
- PSK is presently used for mutual authentication in setting of an IPsec tunnel between a UE and a LWIP-SeGW according to NPL1. Therefore, other authentication schemes are not used for the mutual authentication (even if the UE supports other authentication schemes which is more secure than PSK).
- an encryption scheme for an IPsec tunnel is not clear in LWIP according to NPL 1.
- a negotiation for an encryption scheme may be performed between a UE and a LWIP-SeGW using Internet Key Exchange (IKE) protocol used for setting processing of an IPsec tunnel, and an encryption scheme supported by both of the UE and the LWIP-SeGW may be applied.
- IKE Internet Key Exchange
- an encryption scheme first determined to be supported by both of them may be applied. In this way, it is difficult to control an encryption scheme used by a UE and a LWIP-SeGW on a network side in the present state.
- An example object of the present disclosure is to make it possible to ensure security of communication via a WLAN more flexibly.
- a terminal apparatus includes an information obtaining unit configured to obtain capability information related to capability of the terminal apparatus, and a first communication processing unit configured to transmit the capability information to a mobile communication network.
- the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for Security Architecture for Internet Protocol (IPsec) supported by the terminal apparatus.
- IPsec Internet Protocol
- a core network node includes an information obtaining unit configured to obtain capability information related to capability of a terminal apparatus, and a communication processing unit configured to transmit the capability information to a base station.
- the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- a base station includes an information obtaining unit configured to obtain scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network, and a first communication processing unit configured to transmit the scheme information to the security gateway.
- a security gateway includes a first communication processing unit configured to receive, from a base station, scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and the security gateway via a wireless local area network, and a second communication processing unit configured to perform authentication or encryption for communication with the terminal apparatus via the wireless local area network based on the scheme information.
- a first method includes obtaining capability information related to capability of a terminal apparatus, and transmitting the capability information to a mobile communication network, wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- a first program is a program for causing a processor to execute obtaining capability information related to capability of a terminal apparatus, and transmitting the capability information to a mobile communication network, wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- a first recording medium is a non-transitory computer readable recording medium having recorded thereon a program for causing a processor to execute obtaining capability information related to capability of a terminal apparatus, and transmitting the capability information to a mobile communication network, wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- a first apparatus includes an information obtaining unit configured to obtain capability information related to capability of a terminal apparatus, and a first communication processing unit configured to transmit the capability information to a mobile communication network, wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for Security Architecture for Internet Protocol (IPsec) supported by the terminal apparatus.
- IPsec Internet Protocol
- a second apparatus includes a memory storing a program, and one or more processors capable of executing the program, wherein the program is a program for causing a processor to execute obtaining capability information related to capability of a terminal apparatus, and transmitting the capability information to a mobile communication network, wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- a third apparatus includes a memory and one or more processors, wherein the one or more processors are configured to obtain capability information related to capability of a terminal apparatus, and transmit the capability information to a mobile communication network, wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- a second method includes obtaining capability information related to capability of a terminal apparatus, and transmitting the capability information to a base station, wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- a second program is a program for causing a processor to execute obtaining capability information related to capability of a terminal apparatus, and transmitting the capability information to a base station, wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- a second recording medium is a non-transitory computer readable recording medium having recorded thereon a program for causing a processor to execute obtaining capability information related to capability of a terminal apparatus, and transmitting the capability information to a base station, wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- a fourth apparatus includes an information obtaining unit configured to obtain capability information related to capability of a terminal apparatus, and a communication processing unit configured to transmit the capability information to a base station, wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- a fifth apparatus includes a memory storing a program, and one or more processors capable of executing the program, wherein the program is a program for causing a processor to execute obtaining capability information related to capability of a terminal apparatus, and transmitting the capability information to a base station, wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- a sixth apparatus includes a memory and one or more processors, wherein the one or more processors are configured to obtain capability information related to capability of a terminal apparatus, and transmit the capability information to a base station, wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- a third method includes obtaining scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network, and transmitting the scheme information to the security gateway.
- a third program is a program for causing a processor to execute obtaining scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network, and transmitting the scheme information to the security gateway.
- a third recording medium is a non-transitory computer readable recording medium having recorded thereon a program for causing a processor to execute obtaining scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network, and transmitting the scheme information to the security gateway.
- a seventh apparatus includes an information obtaining unit configured to obtain scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network, and a first communication processing unit configured to transmit the scheme information to the security gateway.
- An eighth apparatus includes a memory storing a program, and one or more processors capable of executing the program, wherein the program is a program for causing a processor to execute obtaining scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network, and transmitting the scheme information to the security gateway.
- a ninth apparatus includes a memory and one or more processors, wherein the one or more processors are configured to obtain scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network, and transmit the scheme information to the security gateway.
- a fourth method includes receiving, from a base station, scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network, and performing authentication or encryption for communication with the terminal apparatus via the wireless local area network based on the scheme information.
- a fourth program is a program for causing a processor to execute receiving, from a base station, scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network, and performing authentication or encryption for communication with the terminal apparatus via the wireless local area network based on the scheme information.
- a fourth recording medium is a non-transitory computer readable recording medium having recorded thereon a program for causing a processor to execute receiving, from a base station, scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network, and performing authentication or encryption for communication with the terminal apparatus via the wireless local area network based on the scheme information.
- a tenth apparatus includes a first communication processing unit configured to receive, from a base station, scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network; and a second communication processing unit configured to perform authentication or encryption for communication with the terminal apparatus via the wireless local area network based on the scheme information.
- An eleventh apparatus includes a memory storing a program, and one or more processors capable of executing the program, wherein the program is a program for causing a processor to execute receiving, from a base station, scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network, and performing authentication or encryption for communication with the terminal apparatus via the wireless local area network based on the scheme information.
- a twelfth apparatus includes a memory and one or more processors, wherein the one or more processors are configured to receive, from a base station, scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network, and perform authentication or encryption for communication with the terminal apparatus via the wireless local area network based on the scheme information.
- LWIP is described as a related art related to the present example embodiments with reference to Figure 1 to Figure3 .
- FIG. 1 is an explanatory diagram for describing an example of a network configuration of LWIP assumed in 3GPP.
- an eNB 10 a LWIP-SeGW 20, a WLAN-AP 30, a UE 40, a core network 500, a mobility management entity (MME) 60 and a serving gateway (S-GW) 70 are illustrated.
- the eNB 10 and the UE 40 can transmit and receive data over a Uu interface, and can transmit/receive data to/from each other via the LWIP-SeGW 20 and the WLAN-AP 30.
- the LWIP-SeGW 20 provides an IPsec tunnel for transmission and reception of data via a WLAN. That is, the LWIP-SGW20 and the UE 40 set an IPsec tunnel and transmit and receive data via a WLAN through the IPsec tunnel.
- FIG. 2 is an explanatory diagram for describing an example of a protocol stack of LWIP assumed in 3GPP Release-13.
- Figure 3 is an explanatory diagram for describing an example of a protocol stack of LWIP assumed in 3GPP Release-14.
- an IPsec tunnel is set between the LWIP-SeGW 20 and the UE 40.
- the LWIP-SeGW 20 and the UE 40 transmit/receive data to/from each other through the IPsec tunnel.
- LWIP Encapsulation Protocol LWIPEP
- LWIPEP LWIP Encapsulation Protocol
- PSK is used for mutual authentication in setting of an IPsec tunnel between a UE and a LWIP-SeGW in the present state according to 3GPP TS 33.401 V13.3.0. Therefore, another authentication scheme is not used for the mutual authentication (even if the UE supports another authentication scheme which is more secure than PSK).
- an encryption scheme for an IPsec tunnel is not clear in LWIP according to 3GPP TS 33.401 V13.3.0.
- a negotiation for an encryption scheme may be performed between a UE and a LWIP-SeGW using IKE protocol used for setting processing of an IPsec tunnel, and an encryption scheme supported by both of the UE and the LWIP-SeGW may be applied.
- an encryption scheme determined first to be supported by both of them may be applied. In this way, it is difficult to control an encryption scheme used by a UE and a LWIP-SeGW on a network side in the present state.
- An example object of the present disclosure is to make it possible to ensure security of communication via a WLAN more flexibly.
- a terminal apparatus transmits capability information related to capability of the terminal apparatus to a mobile communication network (a core network node (MME) or a base station (eNB)).
- the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- the core network node transmits the capability information to a base station (eNB).
- eNB base station
- a base station transmits, to a security gateway (LWI-SeGW), scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus (UE) and the security gateway via a wireless local area network.
- eNB base station
- LWI-SeGW security gateway
- the security gateway performs mutual authentication or encryption for communication with the terminal apparatus (UE) via a WLAN based on the scheme information.
- FIG. 4 is an explanatory diagram illustrating an example of a schematic configuration of the system 1 according to the example embodiments of the present disclosure.
- the system 1 includes a base station 100, a security gateway 200, a WLAN-AP 300, a terminal apparatus 400 and a core network 500.
- the system 1 is a system that complies with 3GPP standards. More specifically, the system 1 may be a system that complies with LTE, LTE-Advanced and/or System Architecture Evolution (SAE). Alternatively, the system 1 may be a system that complies with a standard of Fifth Generation (5G). Of course, the system 1 is not limited to these examples.
- SAE System Architecture Evolution
- 5G Fifth Generation
- the base station 100 is a node which performs wireless communication with a terminal apparatus.
- the base station 100 is a node of a radio access network (RAN).
- the base station 100 may be an eNB, or may be a generation Node B (gNB) in 5G.
- the base station 100 may include a plurality of units (or a plurality of nodes).
- the plurality of units (or plurality of nodes) may include a first unit (or a first node) performing processing of a higher protocol layer, and a second unit (or a second node) performing processing of a lower protocol layer.
- the first unit may be referred to as a center/central unit (CU), and the second unit may be referred to as a distributed unit (DU) or an access unit (AU).
- the first unit may be referred to as a digital unit (DU)
- the second unit may be referred to as a radio unit (RU) or a remote unit (RU).
- the digital unit (DU) may be a base band unit (BBU)
- the RU may be a remote radio head (RRH) or a remote radio unit (RRU).
- RRH remote radio head
- RRU remote radio unit
- Terms used to refer to the first unit (or first node) and the second unit (or second node) are, of course, not limited to these examples.
- the base station 100 may be a single unit (or single node).
- the base station 100 may be one of the plurality of units (e.g., one of the first unit and the second unit) and may be connected to another one of the plurality of unit (e.g., the other one of the first unit and the second unit).
- the base station 100 can transmit/receive data to/from the terminal apparatus 400 wirelessly (e.g. over a Uu interface), and can transmit/receive data to/from the terminal apparatus 400 via the security gateway 200 and the WLAN-AP300.
- the base station 100 can perform operations of LWIP.
- the Security gateway 200 ensure security of communication via a WLAN.
- the security gateway 200 provides a security tunnel (an IPsec tunnel) for communication via a WLAN.
- the security gateway 200 is a LWIP-SeGW.
- the location is between the base station 100 and the WLAN-AP300 & the terminal apparatus 400.
- the WLAN-AP 300 is an access point of a WLAN and performs wireless communication with a terminal apparatus (e.g. the terminal apparatus 400) in conformity with one or more of IEEE 802.11 series (IEEE 802.11b/11a/11g/11n/11ac etc.).
- a terminal apparatus e.g. the terminal apparatus 400
- IEEE 802.11 series IEEE 802.11b/11a/11g/11n/11ac etc.
- the terminal apparatus 400 performs wireless communication with a base station.
- the terminal apparatus 400 performs wireless communication with the base station 100 when the terminal apparatus 400 is located in a coverage area of the base station 100.
- the terminal apparatus 400 is a UE.
- the terminal apparatus 400 can transmit/receive data to/from the base station 100 wirelessly (e.g. over a Uu interface), and can transmit/receive data to/from the base station 100 via the WLAN-AP 300 and the security gateway 200.
- the terminal apparatus 400 can perform operations of LWIP.
- the core network 500 includes a first core network node 600 and a second core network node 700.
- the first core network node 600 is a node responsible for processing of C-plane. For example, the first core network node 600 transmits a control message to the base station 100, and receives a control message from the base station 100.
- the second core network node 700 is a node responsible for processing of U-plane. For example, the second core network node 700 transmits a data packet (a packet including data) to the base station 100, and receives a data packet from the base station 100.
- a data packet a packet including data
- the core network node 500 is an EPC
- the first core network node 600 is an MME
- the second core network node 700 is a S-GW.
- the system 1 according to the example embodiments of the present disclosure is described above.
- the base station 100 and the core network 500 are included in a mobile communication network.
- the mobile communication network is an Evolved Packet System (EPS).
- EPS Evolved Packet System
- FIG. 5 is a block diagram illustrating an example of a schematic configuration of the base station 100 according to the first example embodiment.
- the base station 100 includes a wireless communication unit 110, a network communication unit 120, a storage unit 130 and a processing unit 140.
- the wireless communication unit 110 is configured to wirelessly transmit and receive signals.
- the wireless communication unit 110 is configured to receive signals from a terminal apparatus and transmit signals to a terminal apparatus.
- the network communication unit 120 is configured to receive signals from a network and transmit signals to a network.
- the storage unit 130 is configured to store programs and parameters for operation of the base station 100 as well as various data temporarily or permanently.
- the processing unit 140 is configured to provide various functions of the base station 100.
- the processing unit 140 includes an information obtaining unit 141, a first communication processing unit 143, a second communication processing unit 145, a third communication processing unit 147, and a control unit 149.
- the processing unit 140 may further include another constituent element than these constituent elements. That is, the processing unit 140 may perform operations other than the operations of these constituent elements. Specific operations of the information obtaining unit 141, the first communication processing unit 143, the second communication processing unit 145, the third communication processing unit 147, and the control unit 149 will be described in detail later.
- the processing unit 140 (the first communication processing unit 143) communicates with the security gateway 200 through the network communication unit 120.
- the processing unit 140 (the second communication processing unit 145) communicates with a core network node (e.g. the first core network node 600 or the second core network node 700) through the network communication unit 120.
- the processing unit 140 (the third communication processing unit 147) communicates with a terminal apparatus (e.g. the terminal apparatus 400) through the wireless communication unit 110.
- the wireless communication unit 110 may be implemented with an antenna, a radio frequency (RF) circuit and the like.
- the network communication unit 120 may be implemented with a network adapter, a network interface card or the like.
- the storage unit 130 may be implemented with a memory (for example, non-volatile memory and/or volatile memory), hard disc and/or the like.
- the processing unit 140 may be implemented with a base band (BB) processor, another processor and/or the like.
- the information obtaining unit 141, the first communication processing unit 143, the second communication processing unit 145, the third communication processing unit 147 and the control unit 149 may be implemented with the same processor or with respective different processors.
- the above memory (storage unit 130) may be included in such a processor (a chip).
- the base station 100 may include a memory that stores a program and one or more processors that are capable of executing the program, and the one or more processors may execute the operations of the processing unit 140 (the operations of the information obtaining unit 141, the first communication processing unit 143, the second communication processing unit 145, the third communication processing unit 147 and the control unit 149).
- the program may be a program for causing a processor to execute the operations of the processing unit 140 (the operations of the information obtaining unit 141, the first communication processing unit 143, the second communication processing unit 145, the third communication processing unit 147 and the control unit 149).
- FIG. 6 is a block diagram illustrating an example of a schematic configuration of the security gateway 200 according to the first example embodiment.
- the security gateway 200 includes a network communication unit 210, a storage unit 220 and a processing unit 230.
- the network communication unit 210 is configured to receive signals from a network and transmit signals to a network.
- the storage unit 220 is configured to store programs and parameters for operation of the security gateway 200 as well as various data temporarily or permanently.
- the processing unit 230 is configured to provide various functions of the security gateway 200.
- the processing unit 230 includes a first communication processing unit 231 and a second communication processing unit 233.
- the processing unit 230 may further include another constituent element than these constituent elements. That is, the processing unit 230 may perform operations other than the operations of these constituent elements. Specific operations of the first communication processing unit 231 and the second communication processing unit 233 will be described in detail later.
- the processing unit 230 communicates with another node through the network communication unit 210.
- the processing unit 230 (the first communication processing unit 231) communicates with the base station 100 (or a core network node) through the network communication unit 210.
- the processing unit 230 (the second communication processing unit 233) communicates with the terminal apparatus 400 via a WLAN (the WLAN-AP 300) through the network communication unit 210.
- the network communication unit 210 may be implemented with a network adapter, a network interface card or the like.
- the storage unit 220 may be implemented with a memory (for example, non-volatile memory and/or volatile memory), hard disc and/or the like.
- the processing unit 230 may be implemented with a processor and/or the like.
- the first communication processing unit 231 and the second communication processing unit 233 may be implemented with the same processor or with respective different processors.
- the above memory (storage unit 220) may be included in such a processor (a chip).
- the security gateway 200 may include a memory that stores a program and one or more processors that are capable of executing the program, and the one or more processors may execute the operations of the processing unit 230 (the operations of the first communication processing unit 231 and the second communication processing unit 233).
- the program may be a program for causing a processor to execute the operations of the processing unit 230 (the operations of the first communication processing unit 231 and the second communication processing unit 233).
- Figure 7 is a block diagram illustrating an example of a schematic configuration of the terminal apparatus 400 according to the first example embodiment.
- the terminal apparatus 400 includes a first wireless communication unit 410, a second wireless communication unit 420, a storage unit 430 and a processing unit 440.
- the first wireless communication unit 410 is configured to wirelessly transmit and receive signals.
- the first wireless communication unit 410 is configured to receive signals from the base station 100 and transmit signals to the base station 100.
- the second wireless communication unit 420 is configured to wirelessly transmit and receive signals.
- the second wireless communication unit 420 is configured to receive signals from the WLAN-AP 300 and transmit signals to the WLAN-AP 300.
- the storage unit 430 is configured to store programs and parameters for operation of the terminal apparatus 400 as well as various data temporarily or permanently.
- the processing unit 440 is configured to provide various functions of the terminal apparatus 400.
- the processing unit 440 includes an information obtaining unit 441, a first communication processing unit 443 and a second communication processing unit 445.
- the processing unit 440 may further include another constituent element than these constituent elements. That is, the processing unit 440 may perform operations other than the operations of these constituent elements. Specific operations of the information obtaining unit 441, the first communication processing unit 443 and the second communication processing unit 445 will be described in detail later.
- the processing unit 440 (the first communication processing unit 443) communicates with the base station 100 (or a core network node) through the first wireless communication unit410.
- the processing unit 440 (the second communication processing unit 445) communicates with the security gateway 200 (or the base station 100) via the WLAN-AP 300 through the second wireless communication unit420.
- Each of the first wireless communication unit 410 and the second wireless communication unit 420 may be implemented with an antenna, a radio frequency (RF) circuit and the like.
- the storage unit 430 may be implemented with a memory (for example, non-volatile memory and/or volatile memory), hard disc and/or the like.
- the processing unit 440 may be implemented with a base band (BB) processor, another processor and/or the like.
- the information obtaining unit 441, the first communication processing unit 443 and the second communication processing unit 445 may be implemented with the same processor or with respective different processors.
- the above memory (storage unit 430) may be included in such a processor (a chip).
- the terminal apparatus 400 may include a memory that stores a program and one or more processors that are capable of executing the program, and the one or more processors may execute the operations of the processing unit 440 (the operations of the information obtaining unit 441, the first communication processing unit 443 and the second communication processing unit 445).
- the program may be a program for causing a processor to execute the operations of the processing unit 440 (the operations of the information obtaining unit 441, the first communication processing unit 443 and the second communication processing unit 445).
- Figure 8 is a block diagram illustrating an example of a schematic configuration of the first core network node 600 according to the first example embodiment.
- the first core network node 600 includes a network communication unit 610, a storage unit 620 and a processing unit 630.
- the network communication unit 610 is configured to receive signals from a network and transmit signals to a network.
- the storage unit 620 is configured to store programs and parameters for operation of the first core network node 600 as well as various data temporarily or permanently.
- the processing unit 630 is configured to provide various functions of the first core network node 600.
- the processing unit 630 includes an information obtaining unit 631 and a communication processing unit 633.
- the processing unit 630 may further include another constituent element than these constituent elements. That is, the processing unit 630 may perform operations other than the operations of these constituent elements. Specific operations of the information obtaining unit 631 and the communication processing unit 633 will be described in detail later.
- the processing unit 630 communicates with another node through the network communication unit 610.
- the processing unit 630 (the communication processing unit 633) communicates with the base station 100 (or another core network node) through the network communication unit 610.
- the network communication unit 610 may be implemented with a network adapter, a network interface card or the like.
- the storage unit 620 may be implemented with a memory (for example, non-volatile memory and/or volatile memory), hard disc and/or the like.
- the processing unit 630 may be implemented with a processor and/or the like.
- the information obtaining unit 631 and the communication processing unit 633 may be implemented with the same processor or with respective different processors.
- the above memory (storage unit 620) may be included in such a processor (a chip).
- the first core network node 600 may include a memory that stores a program and one or more processors that are capable of executing the program, and the one or more processors may execute the operations of the processing unit 630 (the operations of the information obtaining unit 631 and the communication processing unit 633).
- the program may be a program for causing a processor to execute the operations of the processing unit 630 (the operations of the information obtaining unit 631 and the communication processing unit 633).
- the terminal apparatus 400 (the information obtaining unit 441) obtains capability information related to capability of the terminal apparatus 400. Then the terminal apparatus 400 (the first communication processing unit 443) transmits the capability information to a mobile communication network.
- the capability information includes information indicating an authentication scheme supported by the terminal apparatus 400 (hereinafter referred to as "authentication capability information”), and/or information indicating an encryption scheme for IPsec supported by the terminal apparatus 400 (hereinafter referred to as “encryption capability information").
- authentication capability information information indicating an authentication scheme supported by the terminal apparatus 400
- encryption capability information information indicating an encryption scheme for IPsec supported by the terminal apparatus 400
- the authentication scheme may be referred to as a mutual authentication scheme.
- the authentication capability information includes information indicating a digital signature scheme supported by the terminal apparatus.
- the information indicating the digital signature scheme includes at least one of information indicating whether Rivest Shamir Adleman (RSA) is supported and information indicating whether Digital Signature Algorithm (DSA) is supported.
- RSA Rivest Shamir Adleman
- DSA Digital Signature Algorithm
- the authentication capability information may include other information.
- the authentication capability information may include information indicating whether PSK is supported.
- the encryption capability information includes at least one of information indicating an encryption algorithm supported by the terminal apparatus 400 and information indicating a key generation scheme supported by the terminal apparatus 400.
- the information indicating the key generation scheme includes at least one of information indicating a pseudo-random function (PRF) supported by the terminal apparatus 400 and information indicating a Diffie-Hellman (DH) group supported by the terminal apparatus 400.
- PRF pseudo-random function
- DH Diffie-Hellman
- Figure 9 is an explanatory diagram for describing an example of authentication capability information and encryption capability information according to a first example embodiment.
- four parameters which are Mutual Authentication, Encryption algorithm, Pseudo-Random Function and DH Group are illustrated.
- the parameter of Mutual Authentication includes information indicating whether PSK is supported, information indicating whether RSA is supported, and information indicating whether DSA is supported.
- the parameter of Encryption Algorithm includes information indicating whether AES-CBC 128bit is supported, information indicating whether AES-CBC 192bit is supported, information indicating whether AES-CBC 256bit is supported, information indicating whether AES-CCM 128bit is supported, and information indicating whether 3DES-CBC 168bit is supported.
- the parameter of Pseudo-Random Function and the parameter of DH Group can be described as well.
- the capability information may be "UE network capability” or “UE security capability” specified in 3GPP TS 24.301 (or a part of it), or may be "UE Capability Information message” specified in 3GPP TS 36.331 or an information element (IE) included in this message.
- the authentication capability information and/or the encryption capability information may be information newly added to such an IE or such a message.
- the authentication capability information and/or the encryption capability information may be information included in another message or another IE.
- the mobile communication network includes the first core network node 600 (e.g. a MME), and the terminal apparatus 400 (the first communication processing unit 443) transmits the capability information to the first core network node 600.
- the terminal apparatus 400 transmits a Non-Access Stratum (NAS) message including the capability information to the first core network node 600 via the base station 100.
- the first core network node 600 receives the capability information.
- the first core network node 600 stores the capability information.
- the first core network node 600 (the communication processing unit 633) transmits the capability information to a Home Subscriber Server (HSS), and make the HSS store the capability information.
- HSS Home Subscriber Server
- the first core network node 600 (the information obtaining unit 631) obtains the capability information independently or in response to a request form the base station 100. Then, the first core network node 600 (the communication processing unit 633) transmits the capability information to the base station 100. For example, the first core network node 600 (the communication processing unit 633) transmits an S1 message including the capability information to the base station 100. The base station 100 (the second communication processing unit 145) receives the capability information from the first core network node 600.
- FIG 10 is a sequence diagram for describing a first example of a schematic flow of processing according to a first example embodiment.
- the terminal apparatus 400 transmits an Attach Request message including capability information to the first core network node 600 via base station 100 (S801).
- the first core network node 600 transmits an Initial Context Setup Request message including the capability information to the base station 100, and the base station 100 receives this message (S803).
- the base station 100 transmits an Initial Context Setup Response message to the first core network node 600.
- authentication capability information and/or encryption capability information is newly added to the capability information, and the base station 100 can obtain the authentication capability information and/or the encryption capability information.
- FIG 11 is a sequence diagram for describing a second example of a schematic flow of processing according to a first example embodiment.
- the terminal apparatus 400 transmits an Attach Request message including capability information to the first core network node 600 via the base station 100 (S811).
- the base station 100 transmits a UE Capability Request message to the first core network node 600 (e.g. after receiving an Initial Context Setup Request message) (S813).
- the first core network node 600 transmits a UE Capability Response message including the capability information, and the base station 100 receives this message (S815).
- the above described UE Capability Request message and UE Capability Response message are newly defined as S1 messages and particularly includes authentication capability information and/or encryption capability information.
- the base station 100 it is possible for the base station 100 to obtain the authentication capability information and/or the encryption capability information.
- the terminal apparatus 400 may transmit a certificate used in the digital signature scheme with the authentication capability information to the first core network node 600, and the first core network node 600 may transmit the certificate with the authentication capability information to the base station 100.
- the mobile communication network may include the base station 100 (e.g. an eNB), and the terminal apparatus 400 (the first communication processing unit 443) may transmit the capability information to the base station 100.
- the terminal apparatus 400 may transmit a Radio Resource Control (RRC) message including the capability information to the first core network node 600 via the base station 100.
- RRC Radio Resource Control
- the base station 100 (the third communication processing unit 147) may receive the capability information.
- the base station 100 (the storage unit 130) may store the capability information.
- FIG 12 is a sequence diagram for describing a third example of a schematic flow of processing according to a first example embodiment.
- the base station 100 transmits a UE Capability Enquiry message to the terminal apparatus 400 (S821).
- the terminal apparatus 400 transmits a UE Capability Information message including the capability information to the base station 100, and the base station 100 receives this message (S823).
- the base station 100 transmits a UE Capability Info Indication message to the first core network node 600 (S825).
- authentication capability information and/or encryption capability information is newly added to the UE Capability Information message, and the base station 100 can obtain the authentication capability information and/or the encryption capability information.
- the terminal apparatus 400 may transmit a certificate used in the digital signature scheme with the authentication capability information to the base station 100.
- An authentication scheme and/or an encryption scheme may be predetermined per service class instead of transmitting the capability information from the terminal apparatus 400 to the mobile communication network as described above.
- information indicating an authentication scheme and/or an encryption scheme per service class may be stored in the base station 100 (the storage unit 130) (for example as Operations, Administration, Maintenance (OAM) information).
- the base station 100 may read, from this information, an authentication scheme and/or an encryption scheme corresponding to a service class of the terminal apparatus 400.
- the service class may be a Quality of service Class Identifier (QCI) or an Internet Protocol (IP) flow.
- QCI Quality of service Class Identifier
- IP Internet Protocol
- the base station 100 may obtain the capability information (the authentication capability information and/or the encryption capability information in particular).
- the base station 100 obtains the capability information. Then the base station 100 (the control unit 149) selects an authentication scheme and/or an encryption scheme to be used for communication between the terminal apparatus 400 and the security gateway 200 based on the capability information.
- the authentication scheme is a digital signature scheme. More specifically, for example, the authentication scheme is RSA or DSA.
- the authentication scheme may be another scheme.
- the authentication scheme may be PSK.
- the base station 100 selects one of PSK, RSA and DSA.
- the encryption scheme is an encryption scheme for IPsec.
- the encryption scheme is an encryption scheme for an IPsec tunnel between the terminal apparatus 400 and the security gateway 200.
- the encryption scheme includes at least one of an encryption algorithm and a key generation scheme.
- the key generation scheme includes at least one of a pseudo-random function (PRF) and a DH group.
- PRF pseudo-random function
- the encryption scheme includes an encryption algorithm, a pseudo-random function (PRF) and a DH group. That is, the base station 100 (the control unit 149) selects an encryption algorithm, a pseudo-random function (PRF) and a DH group to be used for communication between the terminal apparatus 400 and the security gateway 200. More specifically, for example, the base station 100 (the control unit 149) selects an encryption algorithm, a pseudo-random function (PRF) and a DH group for an IPsec tunnel between the terminal apparatus 400 and the security gateway 200.
- PRF pseudo-random function
- the authentication scheme and/or the encryption scheme are schemes per service class. That is, the base station 100 (the control unit 149) selects the authentication scheme and/or the encryption scheme per service class.
- the service class is a QCI
- the base station 100 (the control unit 149) selects the authentication scheme and/or the encryption scheme per QCI (per bearer).
- the service class may be an IP flow
- the base station 100 (the control unit 149) may select the authentication scheme and/or the encryption scheme per IP flow.
- the authentication scheme and/or the encryption scheme may be schemes per user (per terminal apparatus). That is, the base station 100 (the control unit 149) may select the authentication scheme and/or the encryption scheme per user (terminal apparatus).
- the base station 100 selects an authentication scheme and/or an encryption scheme supported by both of the terminal apparatus 400 and the security gateway 200.
- the base station 100 may select an authentication scheme and/or an encryption scheme based on a service class of the terminal apparatus 400. Specifically, when the service class of the terminal apparatus 400 requires higher level of security, the base station 100 (the control unit 149) may select a more secure authentication scheme and/or a more secure encryption scheme.
- the base station 100 may select most secure one of authentication schemes and/or encryption schemes supported by both of the terminal apparatus 400 and the security gateway 200.
- the base station 100 selects the authentication scheme and/or the encryption scheme.
- the base station 100 (the control unit 149) generates scheme information indicating the authentication scheme and/or the encryption scheme.
- the base station 100 (the information obtaining unit 141) obtains the scheme information indicating the authentication scheme and/or the encryption scheme (i.e. a selected authentication scheme and/or a selected encryption scheme). Then, the base station 100 (the first communication processing unit 143) transmits the scheme information to the security gateway 200.
- the security gateway 200 (the first communication processing unit 231) receives the scheme information from the base station 100. For example, a newly defined interface between the base station 100 and the security gateway 200 is used for transmission and reception of the scheme information.
- the base station 100 (the third communication processing unit 147) transmits the scheme information to the terminal apparatus 400.
- the terminal apparatus 400 (the first communication processing unit 443) receives the scheme information from the base station 100.
- the base station 100 transmits the scheme information to the security gateway 200 and the terminal apparatus 400 per service class.
- the base station 100 may obtain a certificate used in the digital signature scheme. Then, the base station 100 (the first communication processing unit 143) may transmit the certificate to the security gateway 200. The security gateway 200 (the first communication processing unit 231) may receive the certificate.
- the digital signature scheme e.g. RSA or DSA
- the security gateway 200 (the communication processing unit 233) performs mutual authentication and/or encryption for communication with the terminal apparatus 400 via a WLAN (the WLAN-AP 300) based on the scheme information. For example, the security gateway 200 (the second communication processing unit 233) performs mutual authentication with the terminal apparatus 400 according to an authentication scheme indicated by the scheme information. For example, the security gateway 200 (the second communication processing unit 233) generates an encryption key according to a key generation scheme indicated by the scheme information, and performs encryption according to an encryption algorithm indicated by the scheme information.
- the terminal apparatus 400 (the second communication processing unit 445) performs authentication or encryption for communication with the security gateway 200 via a WLAN (the WLAN-AP 300) based on the scheme information.
- the specific operations of the terminal apparatus 400 is the same as the above described specific operations of the security gateway 200.
- the base station 100 may request release and resetting of an IPsec tunnel from the security gateway 200.
- the terminal apparatus 400 may use an authentication scheme and/or an encryption scheme selected by the base station 100.
- Figure13 is a sequence diagram for describing a fourth example of a schematic flow of processing according to a first example embodiment.
- the base station 100 selects an authentication scheme and/or an encryption scheme to be used for communication between the terminal apparatus 400 and the security gateway 200 based on capability information (S831).
- the base station 100 transmits, to the security gateway 200, a Security Configuration Request message including scheme information indicating the authentication scheme and/or the encryption scheme (S833).
- the security gateway 200 receives this message (S833) and transmits a response message to the base station 100 (S835).
- the base station 100 transmits a Security Configuration Request message including the scheme information to the terminal apparatus 400 (S837).
- the terminal apparatus 400 receives this message (S837) and transmits a response message to the base station 100 (S839).
- the security gateway 200 and the terminal apparatus 400 performs, based on the scheme information, mutual authentication and/or encryption for communicating with each other via a WLAN (S841, S843). More specifically, for example, the security gateway 200 and the terminal apparatus 400 performs, based on the scheme information, mutual authentication and/or encryption for an IPsec tunnel between the security gateway 200 and the terminal apparatus 400.
- the terminal apparatus 400 transmits authentication capability information and/or encryption capability information to a network
- the base station 100 selects an authentication scheme and/or an encryption scheme based on such information
- the security gateway uses the authentication scheme and/or the encryption scheme.
- Figure 14 is a block diagram illustrating an example of a schematic configuration of the base station 100 according to the second example embodiment.
- the base station 100 includes an information obtaining unit 151 and the first communication processing unit 153.
- the information obtaining unit 151 and the first communication processing unit 153 may be implemented with a base band (BB) processor, another processor and/or the like.
- the information obtaining unit 151 and the first communication processing unit 153 may be implemented with the same processor or with respective different processors.
- the base station 100 may include a memory that stores a program and one or more processors that are capable of executing the program, and the one or more processors may execute the operations of the information obtaining unit 151 and the first communication processing unit 153.
- the program may be a program for causing a processor to execute the operations of the information obtaining unit 151 and the first communication processing unit 153.
- Figure 15 is a block diagram illustrating an example of a schematic configuration of the security gateway 200 according to the second example embodiment.
- the security gateway 200 includes a first communication processing unit 241 and a second communication processing unit 243.
- the first communication processing unit 241 and the second communication processing unit 243 may be implemented with a processor and/or the like.
- the first communication processing unit 241 and the second communication processing unit 243 may be implemented with the same processor or with respective different processors.
- the security gateway 200 may include a memory that stores a program and one or more processors that are capable of executing the program, and the one or more processors may execute the operations of the first communication processing unit 241 and the second communication processing unit 243.
- the program may be a program for causing a processor to execute the operations of the first communication processing unit 241 and the second communication processing unit 243.
- Figure 16 is a block diagram illustrating an example of a schematic configuration of the terminal apparatus 400 according to the second example embodiment.
- the terminal apparatus 400 includes an information obtaining unit 451 and the first communication processing unit 453.
- the information obtaining unit 451 and the first communication processing unit 453 may be implemented with a base band (BB) processor, another processor and/or the like.
- the information obtaining unit 451 and the first communication processing unit 453 may be implemented with the same processor or with respective different processors.
- the terminal apparatus 400 may include a memory that stores a program and one or more processors that are capable of executing the program, and the one or more processors may execute the operations of the information obtaining unit 451 and the first communication processing unit 453.
- the program may be a program for causing a processor to execute the operations of the information obtaining unit 451 and the first communication processing unit 453.
- Figure 17 is a block diagram illustrating an example of a schematic configuration of the first core network node 600 according to the second example embodiment.
- the first core network node 600 includes an information obtaining unit 641 and a communication processing unit 643.
- the information obtaining unit 641 and the communication processing unit 643 may be implemented with a processor and/or the like.
- the information obtaining unit 641 and the communication processing unit 643 may be implemented with the same processor or with respective different processors.
- the first core network node 600 may include a memory that stores a program and one or more processors that are capable of executing the program, and the one or more processors may execute the operations of the information obtaining unit 641 and the communication processing unit 643.
- the program may be a program for causing a processor to execute the operations of the information obtaining unit 641 and the communication processing unit 643.
- the terminal apparatus 400 (the information obtaining unit 451) obtains capability information related to capability of the terminal apparatus 400. Then the terminal apparatus 400 (the first communication processing unit 453) transmits the capability information to a mobile communication network.
- the first core network node 600 (the information obtaining unit 641) obtains the capability information. Then, the first core network node 600 (the communication processing unit 643) transmits the capability information to the base station 100.
- the base station 100 (the information obtaining unit 151) obtains scheme information indicating an authentication scheme and/or an encryption scheme to be used for communication between the terminal apparatus 400 and the security gateway 200. Then, the base station 100 (the first communication processing unit 153) transmits the scheme information to the security gateway 200. The security gateway 200 (the first communication processing unit 241) receives the scheme information from the base station 100.
- the security gateway 200 (the second communication processing unit 243) performs mutual authentication and/or encryption for communication with the terminal apparatus 400 via a WLAN (the WLAN-AP 300) based on the scheme information.
- the second example embodiment has been described above. According to the second example embodiment, for example, it is possible to ensure security of communication via a WLAN more flexibly. As a result, the security may be improved.
- any processing described herein need not be performed chronologically in the order illustrated in the corresponding sequence diagram.
- the steps of the processing may be performed in an order different from the order illustrated as the corresponding sequence diagram or may be performed in parallel.
- one or some of the steps of the processing may be deleted, or one or more steps may be added to the processing.
- an apparatus e.g. one or more apparatuses (or units) out of a plurality of apparatuses (or units) constituting the base station, or a module for one of the plurality of apparatuses (or units)
- constituent elements of the base station described herein e.g. the information obtaining unit, the first communication processing unit, the second communication processing unit, the third communication processing unit and/or the control unit
- An apparatus e.g. a module for the security gateway
- constituent elements of the security gateway described herein e.g. the first communication processing unit and/or the second communication processing unit
- An apparatus e.g. a module for the terminal apparatus including constituent elements of the terminal apparatus described herein (e.g.
- An apparatus e.g. a module for the core network node including constituent elements of the core network node described herein (e.g. the information obtaining unit and/or the communication processing unit) may be provided.
- methods including processing of such constituent elements may be provided, and programs for causing processors to execute processing of such constituent elements may be provided.
- non-transitory computer readable recording media having recorded thereon the program may be provided.
- apparatuses, modules, methods, programs and non-transitory computer readable recording media are also included in the present disclosure.
- a terminal apparatus comprising:
- the terminal apparatus according to Supplementary Note 1, wherein the information indicating the authentication scheme includes information indicating a digital signature scheme supported by the terminal apparatus.
- the information indicating the digital signature scheme includes at least one of information indicating whether Rivest Shamir Adleman (RSA) is supported and information indicating whether Digital Signature Algorithm (DSA) is supported.
- RSA Rivest Shamir Adleman
- DSA Digital Signature Algorithm
- the information indicating the encryption scheme includes at least one of information indicating an encryption algorithm supported by the terminal apparatus and information indicating a key generation scheme supported by the terminal apparatus.
- the information indicating the key generation scheme includes at least one of information indicating a pseudo-random function supported by the terminal apparatus and information indicating a Diffie-Hellman (DH) group supported by the terminal apparatus.
- the terminal apparatus according to any one of Supplementary Notes 1 to 5, wherein the mobile communication network includes a core network node, and the first communication processing unit is configured to transmit the capability information to the core network node.
- the terminal apparatus according to any one of Supplementary Notes 1 to 6, wherein the mobile communication network includes a base station, and the first communication processing unit is configured to transmit the capability information to the base station.
- the terminal apparatus according to any one of Supplementary Notes 1 to 7, wherein the mobile communication network includes a base station, the first communication processing unit receives, from the base station, scheme information indicating an authentication scheme or an encryption scheme to be used for communication between the terminal apparatus and a security gateway via a wireless local area network, and the terminal apparatus further comprises a second communication processing unit configured to perform authentication or encryption for communication with the security gateway via the wireless local area network based on the scheme information.
- scheme information indicating an authentication scheme or an encryption scheme to be used for communication between the terminal apparatus and a security gateway via a wireless local area network
- the terminal apparatus further comprises a second communication processing unit configured to perform authentication or encryption for communication with the security gateway via the wireless local area network based on the scheme information.
- a core network node comprising:
- a base station comprising:
- the base station according to Supplementary Note 11, wherein the information obtaining unit is configured to obtain a certificate used in the digital signature scheme, and the first communication processing unit is configured to transmit the certificate to the security gateway.
- the base station according to any one of Supplementary Notes 10 to 12, wherein the encryption scheme is an encryption scheme for IPsec.
- the base station according to any one of Supplementary Notes 10 to 13, wherein the encryption scheme includes at least one of an encryption algorithm and a key generation scheme.
- the base station according to Supplementary Note 14, wherein the key generation scheme includes at least one of a pseudo-random function and a Diffie-Hellman (DH) group.
- the key generation scheme includes at least one of a pseudo-random function and a Diffie-Hellman (DH) group.
- the base station according to any one of Supplementary Notes 10 to 15, wherein the information obtaining unit configured to obtain capability information related to capability of the terminal apparatus, the capability information includes information indicating an authentication scheme or an encryption scheme supported by the terminal apparatus, and the base station further comprises a control unit configured to select the authentication scheme or the encryption scheme to be used for the communication between the terminal apparatus and the security gateway based on the capability information.
- the information obtaining unit configured to obtain capability information related to capability of the terminal apparatus
- the capability information includes information indicating an authentication scheme or an encryption scheme supported by the terminal apparatus
- the base station further comprises a control unit configured to select the authentication scheme or the encryption scheme to be used for the communication between the terminal apparatus and the security gateway based on the capability information.
- the base station according to Supplementary Note 16 further comprising a second communication processing unit configured to receive the capability information from a core network node.
- the base station according to Supplementary Note 16 further comprising a third communication processing unit configured to receive the capability information from the terminal apparatus.
- the base station according any one of Supplementary Notes 10 to 18, wherein the authentication scheme or the encryption scheme is a scheme per service class.
- the base station according to Supplementary Note 19, wherein the service class is a quality of service class identifier (QCI) or an Internet Protocol (IP) flow.
- QCI quality of service class identifier
- IP Internet Protocol
- the base station according to any one of Supplementary Notes 10 to 20, further comprising a third communication processing unit configured to transmit the scheme information to the terminal apparatus.
- the base station is an evolved Node B (eNB)
- the terminal apparatus is a user equipment (UE)
- the security gateway is a LTE WLAN RAN Level Integration using IPSec Security Gateway (LWIP-SeGW).
- a security gateway comprising:
- a method comprising:
- An apparatus comprising:
- An apparatus comprising:
- An apparatus comprising:
- the apparatus according to any one of Supplementary Notes 27 to 29, wherein the apparatus is the terminal apparatus or a module for the terminal apparatus.
- a method comprising:
- An apparatus comprising:
- An apparatus comprising:
- An apparatus comprising:
- the apparatus according to any one of Supplementary Notes 34 to 36, wherein the apparatus is a core network node or a module for a core network node.
- a method comprising:
- An apparatus comprising:
- An apparatus comprising:
- An apparatus comprising:
- the apparatus according to any one of Supplementary Notes 41 to 43, wherein the apparatus is a base station, one or more apparatuses out of a plurality of apparatuses constituting a base station, or a module of one of the plurality of apparatuses.
- a method comprising:
- An apparatus comprising:
- An apparatus comprising:
- An apparatus comprising:
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Databases & Information Systems (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Description
- The present disclosure relates to a terminal apparatus, a core network node, a base station, a security gateway, an apparatus, a method, a program and a recording medium.
- Currently, in Third Generation Partnership Project (3GPP), development of LTE/WLAN Radio Level Integration with IPsec Tunnel (LWIP) as a data transmission scheme with the use of both of an evolved Node B (eNB) and a wireless local area network access point (WLAN-AP) is ongoing.
- In LWIP, a Security Architecture for Internet Protocol (IPsec) tunnel between a user equipment (UE) and a LWIP Security Gateway (LWIP-SeGW) is set, and an encryption function and an authentication function for data transmitted to and received from the LWIP-SeGW are realized.
- For example, NPL 1 discloses that Pre-Shared Key (PSK) is used for mutual authentication in setting of an IPsec tunnel between a UE and a LWIP-SeGW. In addition, for example,
PTL 1 discloses that a security gateway communicates with a terminal apparatus via a WLAN. - [PTL 1]
JP 2016-507993 T - [NPL 1] 3GPP TS 33.401 V13.3.0 (2016-06) "3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3GPP System Architecture Evolution (SAE); Security architecture (Release 13)"
- However, for example, PSK is presently used for mutual authentication in setting of an IPsec tunnel between a UE and a LWIP-SeGW according to NPL1. Therefore, other authentication schemes are not used for the mutual authentication (even if the UE supports other authentication schemes which is more secure than PSK).
- In addition, an encryption scheme for an IPsec tunnel is not clear in LWIP according to
NPL 1. Thus, for example, a negotiation for an encryption scheme may be performed between a UE and a LWIP-SeGW using Internet Key Exchange (IKE) protocol used for setting processing of an IPsec tunnel, and an encryption scheme supported by both of the UE and the LWIP-SeGW may be applied. As an example, an encryption scheme first determined to be supported by both of them may be applied. In this way, it is difficult to control an encryption scheme used by a UE and a LWIP-SeGW on a network side in the present state. - An example object of the present disclosure is to make it possible to ensure security of communication via a WLAN more flexibly.
- A terminal apparatus according to an example aspect of the present disclosure includes an information obtaining unit configured to obtain capability information related to capability of the terminal apparatus, and a first communication processing unit configured to transmit the capability information to a mobile communication network. The capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for Security Architecture for Internet Protocol (IPsec) supported by the terminal apparatus.
- A core network node according to an example aspect of the present disclosure includes an information obtaining unit configured to obtain capability information related to capability of a terminal apparatus, and a communication processing unit configured to transmit the capability information to a base station. The capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- A base station according to an example aspect of the present disclosure includes an information obtaining unit configured to obtain scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network, and a first communication processing unit configured to transmit the scheme information to the security gateway.
- A security gateway according to an example aspect of the present disclosure includes a first communication processing unit configured to receive, from a base station, scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and the security gateway via a wireless local area network, and a second communication processing unit configured to perform authentication or encryption for communication with the terminal apparatus via the wireless local area network based on the scheme information.
- A first method according to an example aspect of the present disclosure includes obtaining capability information related to capability of a terminal apparatus, and transmitting the capability information to a mobile communication network, wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- A first program according to an example aspect of the present disclosure is a program for causing a processor to execute obtaining capability information related to capability of a terminal apparatus, and transmitting the capability information to a mobile communication network, wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- A first recording medium according to an example aspect of the present disclosure is a non-transitory computer readable recording medium having recorded thereon a program for causing a processor to execute obtaining capability information related to capability of a terminal apparatus, and transmitting the capability information to a mobile communication network, wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- A first apparatus according to an example aspect of the present disclosure includes an information obtaining unit configured to obtain capability information related to capability of a terminal apparatus, and a first communication processing unit configured to transmit the capability information to a mobile communication network, wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for Security Architecture for Internet Protocol (IPsec) supported by the terminal apparatus.
- A second apparatus according to an example aspect of the present disclosure includes a memory storing a program, and one or more processors capable of executing the program, wherein the program is a program for causing a processor to execute obtaining capability information related to capability of a terminal apparatus, and transmitting the capability information to a mobile communication network, wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- A third apparatus according to an example aspect of the present disclosure includes a memory and one or more processors, wherein the one or more processors are configured to obtain capability information related to capability of a terminal apparatus, and transmit the capability information to a mobile communication network, wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- A second method according to an example aspect of the present disclosure includes obtaining capability information related to capability of a terminal apparatus, and transmitting the capability information to a base station, wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- A second program according to an example aspect of the present disclosure is a program for causing a processor to execute obtaining capability information related to capability of a terminal apparatus, and transmitting the capability information to a base station, wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- A second recording medium according to an example aspect of the present disclosure is a non-transitory computer readable recording medium having recorded thereon a program for causing a processor to execute obtaining capability information related to capability of a terminal apparatus, and transmitting the capability information to a base station, wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- A fourth apparatus according to an example aspect of the present disclosure includes an information obtaining unit configured to obtain capability information related to capability of a terminal apparatus, and a communication processing unit configured to transmit the capability information to a base station, wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- A fifth apparatus according to an example aspect of the present disclosure includes a memory storing a program, and one or more processors capable of executing the program, wherein the program is a program for causing a processor to execute obtaining capability information related to capability of a terminal apparatus, and transmitting the capability information to a base station, wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- A sixth apparatus according to an example aspect of the present disclosure includes a memory and one or more processors, wherein the one or more processors are configured to obtain capability information related to capability of a terminal apparatus, and transmit the capability information to a base station, wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- A third method according to an example aspect of the present disclosure includes obtaining scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network, and transmitting the scheme information to the security gateway.
- A third program according to an example aspect of the present disclosure is a program for causing a processor to execute obtaining scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network, and transmitting the scheme information to the security gateway.
- A third recording medium according to an example aspect of the present disclosure is a non-transitory computer readable recording medium having recorded thereon a program for causing a processor to execute obtaining scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network, and transmitting the scheme information to the security gateway.
- A seventh apparatus according to an example aspect of the present disclosure includes an information obtaining unit configured to obtain scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network, and a first communication processing unit configured to transmit the scheme information to the security gateway.
- An eighth apparatus according to an example aspect of the present disclosure includes a memory storing a program, and one or more processors capable of executing the program, wherein the program is a program for causing a processor to execute obtaining scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network, and transmitting the scheme information to the security gateway.
- A ninth apparatus according to an example aspect of the present disclosure includes a memory and one or more processors, wherein the one or more processors are configured to obtain scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network, and transmit the scheme information to the security gateway.
- A fourth method according to an example aspect of the present disclosure includes receiving, from a base station, scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network, and performing authentication or encryption for communication with the terminal apparatus via the wireless local area network based on the scheme information.
- A fourth program according to an example aspect of the present disclosure is a program for causing a processor to execute receiving, from a base station, scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network, and performing authentication or encryption for communication with the terminal apparatus via the wireless local area network based on the scheme information.
- A fourth recording medium according to an example aspect of the present disclosure is a non-transitory computer readable recording medium having recorded thereon a program for causing a processor to execute receiving, from a base station, scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network, and performing authentication or encryption for communication with the terminal apparatus via the wireless local area network based on the scheme information.
- A tenth apparatus according to an example aspect of the present disclosure includes a first communication processing unit configured to receive, from a base station, scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network; and a second communication processing unit configured to perform authentication or encryption for communication with the terminal apparatus via the wireless local area network based on the scheme information.
- An eleventh apparatus according to an example aspect of the present disclosure includes a memory storing a program, and one or more processors capable of executing the program, wherein the program is a program for causing a processor to execute receiving, from a base station, scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network, and performing authentication or encryption for communication with the terminal apparatus via the wireless local area network based on the scheme information.
- A twelfth apparatus according to an example aspect of the present disclosure includes a memory and one or more processors, wherein the one or more processors are configured to receive, from a base station, scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network, and perform authentication or encryption for communication with the terminal apparatus via the wireless local area network based on the scheme information.
- According to an example aspect of the present disclosure, it is possible to ensure security of communication via a WLAN more flexibly. Note that the present disclosure may exert other advantageous effects instead of the above advantageous effects or together with the above advantageous effects.
-
-
Figure 1 is an explanatory diagram for describing an example of a network configuration of LWIP assumed in 3GPP. -
Figure 2 is an explanatory diagram for describing an example of a protocol stack of LWIP assumed in 3GPP Release-13. -
Figure 3 is an explanatory diagram for describing an example of a protocol stack of LWIP assumed in 3GPP Release-14. -
Figure 4 is an explanatory diagram illustrating an example of a schematic configuration of a system according to example embodiments of the present disclosure. -
Figure 5 is a block diagram illustrating an example of a schematic configuration of a base station according to a first example embodiment. -
Figure 6 is a block diagram illustrating an example of a schematic configuration of a security gateway according to a first example embodiment. -
Figure 7 is a block diagram illustrating an example of a schematic configuration of a terminal apparatus according to a first example embodiment. -
Figure 8 is a block diagram illustrating an example of a schematic configuration of a first core network node according to a first example embodiment. -
Figure 9 is an explanatory diagram for describing an example of authentication capability information and encryption capability information according to a first example embodiment. -
Figure 10 is a sequence diagram for describing a first example of a schematic flow of processing according to a first example embodiment. -
Figure 11 is a sequence diagram for describing a second example of a schematic flow of processing according to a first example embodiment. -
Figure12 is a sequence diagram for describing a third example of a schematic flow of processing according to a first example embodiment. -
Figure13 is a sequence diagram for describing a fourth example of a schematic flow of processing according to a first example embodiment. -
Figure 14 is a block diagram illustrating an example of a schematic configuration of a base station according to a second example embodiment. -
Figure 15 is a block diagram illustrating an example of a schematic configuration of a security gateway according to a second example embodiment. -
Figure 16 is a block diagram illustrating an example of a schematic configuration of a terminal apparatus according to a second example embodiment. -
Figure 17 is a block diagram illustrating an example of a schematic configuration of a first core network node according to a second example embodiment. - Example embodiments of the present disclosure will be described below in detail with reference to the accompanying drawings. Note that, in the present description and drawings, elements to which the same or similar descriptions are applicable are denoted by the same reference signs, whereby overlapping descriptions may be omitted.
- Description will be given in the following order.
- 1. Related Art
- 2. Overview of Example Embodiments of the Present disclosure
- 3. Configuration of System according to Example Embodiments of the Present disclosure
- 4. First Example Embodiment
- 4.1. Configuration of Base Station
- 4.2. Configuration of Security Gateway
- 4.3. Configuration of Terminal Apparatus
- 4.4. Configuration of First Core Network Node
- 4.5. Technical Features
- 5. Second Example Embodiment
- 5.1. Configuration of Base Station
- 5.2. Configuration of Security Gateway
- 5.3. Configuration of Terminal Apparatus
- 5.4. Configuration of First Core Network Node
- 5.5. Technical Features
- LWIP is described as a related art related to the present example embodiments with reference to
Figure 1 to Figure3 . - Currently, in 3GPP, development of LWIP as a data transmission scheme with the use of both of an eNB and a WLAN-AP is ongoing.
-
Figure 1 is an explanatory diagram for describing an example of a network configuration of LWIP assumed in 3GPP. Referring toFigure 1 , aneNB 10, a LWIP-SeGW 20, a WLAN-AP 30, aUE 40, acore network 500, a mobility management entity (MME) 60 and a serving gateway (S-GW) 70 are illustrated. In LWIP, theeNB 10 and theUE 40 can transmit and receive data over a Uu interface, and can transmit/receive data to/from each other via the LWIP-SeGW 20 and the WLAN-AP 30. The LWIP-SeGW 20 provides an IPsec tunnel for transmission and reception of data via a WLAN. That is, the LWIP-SGW20 and theUE 40 set an IPsec tunnel and transmit and receive data via a WLAN through the IPsec tunnel. -
Figure 2 is an explanatory diagram for describing an example of a protocol stack of LWIP assumed in 3GPP Release-13. In addition,Figure 3 is an explanatory diagram for describing an example of a protocol stack of LWIP assumed in 3GPP Release-14. As described inFigure 2 andFigure3 , an IPsec tunnel is set between the LWIP-SeGW 20 and theUE 40. The LWIP-SeGW 20 and theUE 40 transmit/receive data to/from each other through the IPsec tunnel. Note that LWIP Encapsulation Protocol (LWIPEP) is located in theeNB 10 in Release-13, and LWIPEP is located in the LWIP-SeGW 20 in Release-14. - Firstly, an overview of example embodiments of the present disclosure is described.
- PSK is used for mutual authentication in setting of an IPsec tunnel between a UE and a LWIP-SeGW in the present state according to 3GPP TS 33.401 V13.3.0. Therefore, another authentication scheme is not used for the mutual authentication (even if the UE supports another authentication scheme which is more secure than PSK).
- In addition, an encryption scheme for an IPsec tunnel is not clear in LWIP according to 3GPP TS 33.401 V13.3.0. Thus, for example, a negotiation for an encryption scheme may be performed between a UE and a LWIP-SeGW using IKE protocol used for setting processing of an IPsec tunnel, and an encryption scheme supported by both of the UE and the LWIP-SeGW may be applied. As an example, an encryption scheme determined first to be supported by both of them may be applied. In this way, it is difficult to control an encryption scheme used by a UE and a LWIP-SeGW on a network side in the present state.
- An example object of the present disclosure is to make it possible to ensure security of communication via a WLAN more flexibly.
- According to the example embodiments of the present disclosure, for example, a terminal apparatus (UE) transmits capability information related to capability of the terminal apparatus to a mobile communication network (a core network node (MME) or a base station (eNB)). In particular, the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- According to the example embodiments of the present disclosure, for example, the core network node (MME) transmits the capability information to a base station (eNB).
- According to the example embodiments of the present disclosure, for example, a base station (eNB) transmits, to a security gateway (LWI-SeGW), scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus (UE) and the security gateway via a wireless local area network.
- According to the example embodiments of the present disclosure, for example, the security gateway (LWIP-SeGW) performs mutual authentication or encryption for communication with the terminal apparatus (UE) via a WLAN based on the scheme information.
- This makes it possible, for example, to ensure security of communication via a WLAN more flexibly.
- An example of a configuration of a
system 1 according to the example embodiments is described with reference toFigure 4. Figure 4 is an explanatory diagram illustrating an example of a schematic configuration of thesystem 1 according to the example embodiments of the present disclosure. Referring toFigure 4 , thesystem 1 includes abase station 100, asecurity gateway 200, a WLAN-AP 300, aterminal apparatus 400 and acore network 500. - For example, the
system 1 is a system that complies with 3GPP standards. More specifically, thesystem 1 may be a system that complies with LTE, LTE-Advanced and/or System Architecture Evolution (SAE). Alternatively, thesystem 1 may be a system that complies with a standard of Fifth Generation (5G). Of course, thesystem 1 is not limited to these examples. - The
base station 100 is a node which performs wireless communication with a terminal apparatus. In other word, thebase station 100 is a node of a radio access network (RAN). For example, thebase station 100 may be an eNB, or may be a generation Node B (gNB) in 5G. Thebase station 100 may include a plurality of units (or a plurality of nodes). The plurality of units (or plurality of nodes) may include a first unit (or a first node) performing processing of a higher protocol layer, and a second unit (or a second node) performing processing of a lower protocol layer. As an example, the first unit may be referred to as a center/central unit (CU), and the second unit may be referred to as a distributed unit (DU) or an access unit (AU). As another example, the first unit may be referred to as a digital unit (DU), and the second unit may be referred to as a radio unit (RU) or a remote unit (RU). The digital unit (DU) may be a base band unit (BBU), and the RU may be a remote radio head (RRH) or a remote radio unit (RRU). Terms used to refer to the first unit (or first node) and the second unit (or second node) are, of course, not limited to these examples. Alternatively, thebase station 100 may be a single unit (or single node). In this case, thebase station 100 may be one of the plurality of units (e.g., one of the first unit and the second unit) and may be connected to another one of the plurality of unit (e.g., the other one of the first unit and the second unit). - In particular, according to the example embodiments, the
base station 100 can transmit/receive data to/from theterminal apparatus 400 wirelessly (e.g. over a Uu interface), and can transmit/receive data to/from theterminal apparatus 400 via thesecurity gateway 200 and the WLAN-AP300. Specifically, for example, thebase station 100 can perform operations of LWIP. - The
Security gateway 200 ensure security of communication via a WLAN. For example, thesecurity gateway 200 provides a security tunnel (an IPsec tunnel) for communication via a WLAN. More specifically, for example, thesecurity gateway 200 is a LWIP-SeGW. - Note that the location is between the
base station 100 and the WLAN-AP300 & theterminal apparatus 400. - The WLAN-
AP 300 is an access point of a WLAN and performs wireless communication with a terminal apparatus (e.g. the terminal apparatus 400) in conformity with one or more of IEEE 802.11 series (IEEE 802.11b/11a/11g/11n/11ac etc.). - The
terminal apparatus 400 performs wireless communication with a base station. For example, theterminal apparatus 400 performs wireless communication with thebase station 100 when theterminal apparatus 400 is located in a coverage area of thebase station 100. For example, theterminal apparatus 400 is a UE. - Particularly, in the present example embodiments, the
terminal apparatus 400 can transmit/receive data to/from thebase station 100 wirelessly (e.g. over a Uu interface), and can transmit/receive data to/from thebase station 100 via the WLAN-AP 300 and thesecurity gateway 200. Specifically, for example, theterminal apparatus 400 can perform operations of LWIP. - The
core network 500 includes a firstcore network node 600 and a secondcore network node 700. - The first
core network node 600 is a node responsible for processing of C-plane. For example, the firstcore network node 600 transmits a control message to thebase station 100, and receives a control message from thebase station 100. - The second
core network node 700 is a node responsible for processing of U-plane. For example, the secondcore network node 700 transmits a data packet (a packet including data) to thebase station 100, and receives a data packet from thebase station 100. - For example, the
core network node 500 is an EPC, the firstcore network node 600 is an MME, and the secondcore network node 700 is a S-GW. - The
system 1 according to the example embodiments of the present disclosure is described above. Note that thebase station 100 and the core network 500 (the firstcore network node 600 and the second core network node 700) are included in a mobile communication network. As an example, the mobile communication network is an Evolved Packet System (EPS). - Subsequently, a first example embodiment of the present disclosure will be described with reference to
Figure 5 to Figure 13 . - Firstly, an example of a configuration of the
base station 100 according to the first example embodiment is described with reference toFigure 5. Figure 5 is a block diagram illustrating an example of a schematic configuration of thebase station 100 according to the first example embodiment. Referring toFigure 5 , thebase station 100 includes awireless communication unit 110, anetwork communication unit 120, astorage unit 130 and aprocessing unit 140. - The
wireless communication unit 110 is configured to wirelessly transmit and receive signals. For example, thewireless communication unit 110 is configured to receive signals from a terminal apparatus and transmit signals to a terminal apparatus. - The
network communication unit 120 is configured to receive signals from a network and transmit signals to a network. - The
storage unit 130 is configured to store programs and parameters for operation of thebase station 100 as well as various data temporarily or permanently. - The
processing unit 140 is configured to provide various functions of thebase station 100. Theprocessing unit 140 includes aninformation obtaining unit 141, a firstcommunication processing unit 143, a secondcommunication processing unit 145, a thirdcommunication processing unit 147, and acontrol unit 149. Note that theprocessing unit 140 may further include another constituent element than these constituent elements. That is, theprocessing unit 140 may perform operations other than the operations of these constituent elements. Specific operations of theinformation obtaining unit 141, the firstcommunication processing unit 143, the secondcommunication processing unit 145, the thirdcommunication processing unit 147, and thecontrol unit 149 will be described in detail later. - For example, the processing unit 140 (the first communication processing unit 143) communicates with the
security gateway 200 through thenetwork communication unit 120. For example, the processing unit 140 (the second communication processing unit 145) communicates with a core network node (e.g. the firstcore network node 600 or the second core network node 700) through thenetwork communication unit 120. For example, the processing unit 140 (the third communication processing unit 147) communicates with a terminal apparatus (e.g. the terminal apparatus 400) through thewireless communication unit 110. - The
wireless communication unit 110 may be implemented with an antenna, a radio frequency (RF) circuit and the like. Thenetwork communication unit 120 may be implemented with a network adapter, a network interface card or the like. Thestorage unit 130 may be implemented with a memory (for example, non-volatile memory and/or volatile memory), hard disc and/or the like. Theprocessing unit 140 may be implemented with a base band (BB) processor, another processor and/or the like. Theinformation obtaining unit 141, the firstcommunication processing unit 143, the secondcommunication processing unit 145, the thirdcommunication processing unit 147 and thecontrol unit 149 may be implemented with the same processor or with respective different processors. The above memory (storage unit 130) may be included in such a processor (a chip). - The
base station 100 may include a memory that stores a program and one or more processors that are capable of executing the program, and the one or more processors may execute the operations of the processing unit 140 (the operations of theinformation obtaining unit 141, the firstcommunication processing unit 143, the secondcommunication processing unit 145, the thirdcommunication processing unit 147 and the control unit 149). The program may be a program for causing a processor to execute the operations of the processing unit 140 (the operations of theinformation obtaining unit 141, the firstcommunication processing unit 143, the secondcommunication processing unit 145, the thirdcommunication processing unit 147 and the control unit 149). - Next, an example of a configuration of the
security gateway 200 according to the first example embodiment is described with reference toFigure 6. Figure 6 is a block diagram illustrating an example of a schematic configuration of thesecurity gateway 200 according to the first example embodiment. Referring toFigure 6 , thesecurity gateway 200 includes anetwork communication unit 210, astorage unit 220 and aprocessing unit 230. - The
network communication unit 210 is configured to receive signals from a network and transmit signals to a network. - The
storage unit 220 is configured to store programs and parameters for operation of thesecurity gateway 200 as well as various data temporarily or permanently. - The
processing unit 230 is configured to provide various functions of thesecurity gateway 200. Theprocessing unit 230 includes a firstcommunication processing unit 231 and a secondcommunication processing unit 233. Note that theprocessing unit 230 may further include another constituent element than these constituent elements. That is, theprocessing unit 230 may perform operations other than the operations of these constituent elements. Specific operations of the firstcommunication processing unit 231 and the secondcommunication processing unit 233 will be described in detail later. - For example, the
processing unit 230 communicates with another node through thenetwork communication unit 210. Specifically, for example, the processing unit 230 (the first communication processing unit 231) communicates with the base station 100 (or a core network node) through thenetwork communication unit 210. In addition, for example, the processing unit 230 (the second communication processing unit 233) communicates with theterminal apparatus 400 via a WLAN (the WLAN-AP 300) through thenetwork communication unit 210. - The
network communication unit 210 may be implemented with a network adapter, a network interface card or the like. Thestorage unit 220 may be implemented with a memory (for example, non-volatile memory and/or volatile memory), hard disc and/or the like. Theprocessing unit 230 may be implemented with a processor and/or the like. The firstcommunication processing unit 231 and the secondcommunication processing unit 233 may be implemented with the same processor or with respective different processors. The above memory (storage unit 220) may be included in such a processor (a chip). - The
security gateway 200 may include a memory that stores a program and one or more processors that are capable of executing the program, and the one or more processors may execute the operations of the processing unit 230 (the operations of the firstcommunication processing unit 231 and the second communication processing unit 233). The program may be a program for causing a processor to execute the operations of the processing unit 230 (the operations of the firstcommunication processing unit 231 and the second communication processing unit 233). - Next, an example of a configuration of the
terminal apparatus 400 according to the first example embodiment is described with reference toFigure 7. Figure 7 is a block diagram illustrating an example of a schematic configuration of theterminal apparatus 400 according to the first example embodiment. Referring toFigure 7 , theterminal apparatus 400 includes a firstwireless communication unit 410, a secondwireless communication unit 420, astorage unit 430 and aprocessing unit 440. - The first
wireless communication unit 410 is configured to wirelessly transmit and receive signals. For example, the firstwireless communication unit 410 is configured to receive signals from thebase station 100 and transmit signals to thebase station 100. - The second
wireless communication unit 420 is configured to wirelessly transmit and receive signals. For example, the secondwireless communication unit 420 is configured to receive signals from the WLAN-AP 300 and transmit signals to the WLAN-AP 300. - The
storage unit 430 is configured to store programs and parameters for operation of theterminal apparatus 400 as well as various data temporarily or permanently. - The
processing unit 440 is configured to provide various functions of theterminal apparatus 400. Theprocessing unit 440 includes aninformation obtaining unit 441, a firstcommunication processing unit 443 and a secondcommunication processing unit 445. Note that theprocessing unit 440 may further include another constituent element than these constituent elements. That is, theprocessing unit 440 may perform operations other than the operations of these constituent elements. Specific operations of theinformation obtaining unit 441, the firstcommunication processing unit 443 and the secondcommunication processing unit 445 will be described in detail later. - For example, the processing unit 440 (the first communication processing unit 443) communicates with the base station 100 (or a core network node) through the first wireless communication unit410. In addition, for example, the processing unit 440 (the second communication processing unit 445) communicates with the security gateway 200 (or the base station 100) via the WLAN-
AP 300 through the second wireless communication unit420. - Each of the first
wireless communication unit 410 and the secondwireless communication unit 420 may be implemented with an antenna, a radio frequency (RF) circuit and the like. Thestorage unit 430 may be implemented with a memory (for example, non-volatile memory and/or volatile memory), hard disc and/or the like. Theprocessing unit 440 may be implemented with a base band (BB) processor, another processor and/or the like. Theinformation obtaining unit 441, the firstcommunication processing unit 443 and the secondcommunication processing unit 445 may be implemented with the same processor or with respective different processors. The above memory (storage unit 430) may be included in such a processor (a chip). - The
terminal apparatus 400 may include a memory that stores a program and one or more processors that are capable of executing the program, and the one or more processors may execute the operations of the processing unit 440 (the operations of theinformation obtaining unit 441, the firstcommunication processing unit 443 and the second communication processing unit 445). The program may be a program for causing a processor to execute the operations of the processing unit 440 (the operations of theinformation obtaining unit 441, the firstcommunication processing unit 443 and the second communication processing unit 445). - Next, an example of a configuration of the first
core network node 600 according to the first example embodiment is described with reference toFigure 8. Figure 8 is a block diagram illustrating an example of a schematic configuration of the firstcore network node 600 according to the first example embodiment. Referring toFigure 8 , the firstcore network node 600 includes anetwork communication unit 610, astorage unit 620 and aprocessing unit 630. - The
network communication unit 610 is configured to receive signals from a network and transmit signals to a network. - The
storage unit 620 is configured to store programs and parameters for operation of the firstcore network node 600 as well as various data temporarily or permanently. - The
processing unit 630 is configured to provide various functions of the firstcore network node 600. Theprocessing unit 630 includes aninformation obtaining unit 631 and acommunication processing unit 633. Note that theprocessing unit 630 may further include another constituent element than these constituent elements. That is, theprocessing unit 630 may perform operations other than the operations of these constituent elements. Specific operations of theinformation obtaining unit 631 and thecommunication processing unit 633 will be described in detail later. - For example, the
processing unit 630 communicates with another node through thenetwork communication unit 610. Specifically, for example, the processing unit 630 (the communication processing unit 633) communicates with the base station 100 (or another core network node) through thenetwork communication unit 610. - The
network communication unit 610 may be implemented with a network adapter, a network interface card or the like. Thestorage unit 620 may be implemented with a memory (for example, non-volatile memory and/or volatile memory), hard disc and/or the like. Theprocessing unit 630 may be implemented with a processor and/or the like. Theinformation obtaining unit 631 and thecommunication processing unit 633 may be implemented with the same processor or with respective different processors. The above memory (storage unit 620) may be included in such a processor (a chip). - The first
core network node 600 may include a memory that stores a program and one or more processors that are capable of executing the program, and the one or more processors may execute the operations of the processing unit 630 (the operations of theinformation obtaining unit 631 and the communication processing unit 633). The program may be a program for causing a processor to execute the operations of the processing unit 630 (the operations of theinformation obtaining unit 631 and the communication processing unit 633). - Next, technical features of the first example embodiment are described with reference to
Figure 9 andFigure 13 . - The terminal apparatus 400 (the information obtaining unit 441) obtains capability information related to capability of the
terminal apparatus 400. Then the terminal apparatus 400 (the first communication processing unit 443) transmits the capability information to a mobile communication network. - Particularly according to the first example embodiment, the capability information includes information indicating an authentication scheme supported by the terminal apparatus 400 (hereinafter referred to as "authentication capability information"), and/or information indicating an encryption scheme for IPsec supported by the terminal apparatus 400 (hereinafter referred to as "encryption capability information"). Note that the authentication scheme may be referred to as a mutual authentication scheme.
- For example, the authentication capability information includes information indicating a digital signature scheme supported by the terminal apparatus.
- More specifically, for example, the information indicating the digital signature scheme includes at least one of information indicating whether Rivest Shamir Adleman (RSA) is supported and information indicating whether Digital Signature Algorithm (DSA) is supported.
- Of course, the authentication capability information may include other information. Specifically, the authentication capability information may include information indicating whether PSK is supported.
- For example, the encryption capability information includes at least one of information indicating an encryption algorithm supported by the
terminal apparatus 400 and information indicating a key generation scheme supported by theterminal apparatus 400. - For example, the information indicating the key generation scheme includes at least one of information indicating a pseudo-random function (PRF) supported by the
terminal apparatus 400 and information indicating a Diffie-Hellman (DH) group supported by theterminal apparatus 400. -
Figure 9 is an explanatory diagram for describing an example of authentication capability information and encryption capability information according to a first example embodiment. ReferringFigure 9 , four parameters which are Mutual Authentication, Encryption algorithm, Pseudo-Random Function and DH Group are illustrated. For example, the parameter of Mutual Authentication includes information indicating whether PSK is supported, information indicating whether RSA is supported, and information indicating whether DSA is supported. For example, the parameter of Encryption Algorithm includes information indicating whether AES-CBC 128bit is supported, information indicating whether AES-CBC 192bit is supported, information indicating whether AES-CBC 256bit is supported, information indicating whether AES-CCM 128bit is supported, and information indicating whether 3DES-CBC 168bit is supported. Note that the parameter of Pseudo-Random Function and the parameter of DH Group can be described as well. - Note that the capability information may be "UE network capability" or "UE security capability" specified in 3GPP TS 24.301 (or a part of it), or may be "UE Capability Information message" specified in 3GPP TS 36.331 or an information element (IE) included in this message. In this case, the authentication capability information and/or the encryption capability information may be information newly added to such an IE or such a message. Alternatively, the authentication capability information and/or the encryption capability information may be information included in another message or another IE.
- For example, the mobile communication network includes the first core network node 600 (e.g. a MME), and the terminal apparatus 400 (the first communication processing unit 443) transmits the capability information to the first
core network node 600. For example, theterminal apparatus 400 transmits a Non-Access Stratum (NAS) message including the capability information to the firstcore network node 600 via thebase station 100. Then, the first core network node 600 (the communication processing unit 633) receives the capability information. The first core network node 600 (the storage unit 620) stores the capability information. Alternatively, the first core network node 600 (the communication processing unit 633) transmits the capability information to a Home Subscriber Server (HSS), and make the HSS store the capability information. - Furthermore, for example, the first core network node 600 (the information obtaining unit 631) obtains the capability information independently or in response to a request form the
base station 100. Then, the first core network node 600 (the communication processing unit 633) transmits the capability information to thebase station 100. For example, the first core network node 600 (the communication processing unit 633) transmits an S1 message including the capability information to thebase station 100. The base station 100 (the second communication processing unit 145) receives the capability information from the firstcore network node 600. -
Figure 10 is a sequence diagram for describing a first example of a schematic flow of processing according to a first example embodiment. Theterminal apparatus 400 transmits an Attach Request message including capability information to the firstcore network node 600 via base station 100 (S801). The firstcore network node 600 transmits an Initial Context Setup Request message including the capability information to thebase station 100, and thebase station 100 receives this message (S803). Then, thebase station 100 transmits an Initial Context Setup Response message to the firstcore network node 600. In particular, authentication capability information and/or encryption capability information is newly added to the capability information, and thebase station 100 can obtain the authentication capability information and/or the encryption capability information. -
Figure 11 is a sequence diagram for describing a second example of a schematic flow of processing according to a first example embodiment. Theterminal apparatus 400 transmits an Attach Request message including capability information to the firstcore network node 600 via the base station 100 (S811). Thebase station 100 transmits a UE Capability Request message to the first core network node 600 (e.g. after receiving an Initial Context Setup Request message) (S813). Then the firstcore network node 600 transmits a UE Capability Response message including the capability information, and thebase station 100 receives this message (S815). For example, the above described UE Capability Request message and UE Capability Response message (or messages with other names) are newly defined as S1 messages and particularly includes authentication capability information and/or encryption capability information. Thus, it is possible for thebase station 100 to obtain the authentication capability information and/or the encryption capability information. - Note that the
terminal apparatus 400 may transmit a certificate used in the digital signature scheme with the authentication capability information to the firstcore network node 600, and the firstcore network node 600 may transmit the certificate with the authentication capability information to thebase station 100. - The mobile communication network may include the base station 100 (e.g. an eNB), and the terminal apparatus 400 (the first communication processing unit 443) may transmit the capability information to the
base station 100. For example, theterminal apparatus 400 may transmit a Radio Resource Control (RRC) message including the capability information to the firstcore network node 600 via thebase station 100. Then the base station 100 (the third communication processing unit 147) may receive the capability information. The base station 100 (the storage unit 130) may store the capability information. -
Figure 12 is a sequence diagram for describing a third example of a schematic flow of processing according to a first example embodiment. Thebase station 100 transmits a UE Capability Enquiry message to the terminal apparatus 400 (S821). Then, theterminal apparatus 400 transmits a UE Capability Information message including the capability information to thebase station 100, and thebase station 100 receives this message (S823). After that, thebase station 100 transmits a UE Capability Info Indication message to the first core network node 600 (S825). In particular, authentication capability information and/or encryption capability information is newly added to the UE Capability Information message, and thebase station 100 can obtain the authentication capability information and/or the encryption capability information. - Note that the
terminal apparatus 400 may transmit a certificate used in the digital signature scheme with the authentication capability information to thebase station 100. - An authentication scheme and/or an encryption scheme may be predetermined per service class instead of transmitting the capability information from the
terminal apparatus 400 to the mobile communication network as described above. For example, information indicating an authentication scheme and/or an encryption scheme per service class may be stored in the base station 100 (the storage unit 130) (for example as Operations, Administration, Maintenance (OAM) information). Thebase station 100 may read, from this information, an authentication scheme and/or an encryption scheme corresponding to a service class of theterminal apparatus 400. The service class may be a Quality of service Class Identifier (QCI) or an Internet Protocol (IP) flow. - As described above, the
base station 100 may obtain the capability information (the authentication capability information and/or the encryption capability information in particular). - For example, the base station 100 (the information obtaining unit 141) obtains the capability information. Then the base station 100 (the control unit 149) selects an authentication scheme and/or an encryption scheme to be used for communication between the
terminal apparatus 400 and thesecurity gateway 200 based on the capability information. - For example, the authentication scheme is a digital signature scheme. More specifically, for example, the authentication scheme is RSA or DSA.
- Of course, the authentication scheme may be another scheme. For example, the authentication scheme may be PSK.
- As an example, the base station 100 (the control unit 149) selects one of PSK, RSA and DSA.
- For example, the encryption scheme is an encryption scheme for IPsec. In other words, the encryption scheme is an encryption scheme for an IPsec tunnel between the
terminal apparatus 400 and thesecurity gateway 200. - More specifically, for example, the encryption scheme includes at least one of an encryption algorithm and a key generation scheme. Furthermore, for example, the key generation scheme includes at least one of a pseudo-random function (PRF) and a DH group.
- As an example, the encryption scheme includes an encryption algorithm, a pseudo-random function (PRF) and a DH group. That is, the base station 100 (the control unit 149) selects an encryption algorithm, a pseudo-random function (PRF) and a DH group to be used for communication between the
terminal apparatus 400 and thesecurity gateway 200. More specifically, for example, the base station 100 (the control unit 149) selects an encryption algorithm, a pseudo-random function (PRF) and a DH group for an IPsec tunnel between theterminal apparatus 400 and thesecurity gateway 200. - For example, the authentication scheme and/or the encryption scheme are schemes per service class. That is, the base station 100 (the control unit 149) selects the authentication scheme and/or the encryption scheme per service class.
- For example, the service class is a QCI, the base station 100 (the control unit 149) selects the authentication scheme and/or the encryption scheme per QCI (per bearer). Alternatively, the service class may be an IP flow, and the base station 100 (the control unit 149) may select the authentication scheme and/or the encryption scheme per IP flow.
- This, for example, makes it possible to apply an authentication scheme and/or an encryption scheme which is different per service class. Security may be ensured more flexibly.
- Note that, of course, the first example embodiment is not limited to this example. For example, the authentication scheme and/or the encryption scheme may be schemes per user (per terminal apparatus). That is, the base station 100 (the control unit 149) may select the authentication scheme and/or the encryption scheme per user (terminal apparatus).
- For example, the base station 100 (the control unit 149) selects an authentication scheme and/or an encryption scheme supported by both of the
terminal apparatus 400 and thesecurity gateway 200. - Furthermore, the base station 100 (the control unit 149) may select an authentication scheme and/or an encryption scheme based on a service class of the
terminal apparatus 400. Specifically, when the service class of theterminal apparatus 400 requires higher level of security, the base station 100 (the control unit 149) may select a more secure authentication scheme and/or a more secure encryption scheme. - Alternatively, the base station 100 (the control unit 149) may select most secure one of authentication schemes and/or encryption schemes supported by both of the
terminal apparatus 400 and thesecurity gateway 200. - For example as described above, the base station 100 (the control unit 149) selects the authentication scheme and/or the encryption scheme. Note that the base station 100 (the control unit 149) generates scheme information indicating the authentication scheme and/or the encryption scheme.
- The base station 100 (the information obtaining unit 141) obtains the scheme information indicating the authentication scheme and/or the encryption scheme (i.e. a selected authentication scheme and/or a selected encryption scheme). Then, the base station 100 (the first communication processing unit 143) transmits the scheme information to the
security gateway 200. The security gateway 200 (the first communication processing unit 231) receives the scheme information from thebase station 100. For example, a newly defined interface between thebase station 100 and thesecurity gateway 200 is used for transmission and reception of the scheme information. - This, for example, enables the
security gateway 200 to use an authentication scheme and/or an encryption scheme selected by thebase station 100. - Furthermore, for example, the base station 100 (the third communication processing unit 147) transmits the scheme information to the
terminal apparatus 400. The terminal apparatus 400 (the first communication processing unit 443) receives the scheme information from thebase station 100. - This, for example, enables the
terminal apparatus 400 to use an authentication scheme and/or an encryption scheme selected by thebase station 100. - For example, the
base station 100 transmits the scheme information to thesecurity gateway 200 and theterminal apparatus 400 per service class. - Note that, if the authentication scheme is the digital signature scheme (e.g. RSA or DSA), the base station 100 (the information obtaining unit 141) may obtain a certificate used in the digital signature scheme. Then, the base station 100 (the first communication processing unit 143) may transmit the certificate to the
security gateway 200. The security gateway 200 (the first communication processing unit 231) may receive the certificate. - The security gateway 200 (the communication processing unit 233) performs mutual authentication and/or encryption for communication with the
terminal apparatus 400 via a WLAN (the WLAN-AP 300) based on the scheme information. For example, the security gateway 200 (the second communication processing unit 233) performs mutual authentication with theterminal apparatus 400 according to an authentication scheme indicated by the scheme information. For example, the security gateway 200 (the second communication processing unit 233) generates an encryption key according to a key generation scheme indicated by the scheme information, and performs encryption according to an encryption algorithm indicated by the scheme information. - The terminal apparatus 400 (the second communication processing unit 445) performs authentication or encryption for communication with the
security gateway 200 via a WLAN (the WLAN-AP 300) based on the scheme information. The specific operations of theterminal apparatus 400 is the same as the above described specific operations of thesecurity gateway 200. - Note that the
base station 100 may request release and resetting of an IPsec tunnel from thesecurity gateway 200. In this case, when resetting an IPsec tunnel released by thesecurity gateway 200, or when performing setting of a new IPsec tunnel, theterminal apparatus 400 may use an authentication scheme and/or an encryption scheme selected by thebase station 100. -
Figure13 is a sequence diagram for describing a fourth example of a schematic flow of processing according to a first example embodiment. - The
base station 100 selects an authentication scheme and/or an encryption scheme to be used for communication between theterminal apparatus 400 and thesecurity gateway 200 based on capability information (S831). - The
base station 100 transmits, to thesecurity gateway 200, a Security Configuration Request message including scheme information indicating the authentication scheme and/or the encryption scheme (S833). Thesecurity gateway 200 receives this message (S833) and transmits a response message to the base station 100 (S835). - Furthermore, the
base station 100 transmits a Security Configuration Request message including the scheme information to the terminal apparatus 400 (S837). Theterminal apparatus 400 receives this message (S837) and transmits a response message to the base station 100 (S839). - Then, the
security gateway 200 and theterminal apparatus 400 performs, based on the scheme information, mutual authentication and/or encryption for communicating with each other via a WLAN (S841, S843). More specifically, for example, thesecurity gateway 200 and theterminal apparatus 400 performs, based on the scheme information, mutual authentication and/or encryption for an IPsec tunnel between thesecurity gateway 200 and theterminal apparatus 400. - The first example embodiment has been described above. According to the first example embodiment, the
terminal apparatus 400 transmits authentication capability information and/or encryption capability information to a network, thebase station 100 selects an authentication scheme and/or an encryption scheme based on such information, and the security gateway uses the authentication scheme and/or the encryption scheme. This, for example, makes it possible to ensure security of communication via a WLAN more flexibly. As a result, the security may be improved. - Subsequently, a second example embodiment of the present disclosure will be described with reference to
Figure 14 to Figure 17 . The above described first example embodiment is a specific example embodiment, while the second example embodiment is more generalized example embodiment. - Firstly, an example of a configuration of the
base station 100 according to the second example embodiment is described with reference toFigure 14. Figure 14 is a block diagram illustrating an example of a schematic configuration of thebase station 100 according to the second example embodiment. Referring toFigure 14 , thebase station 100 includes aninformation obtaining unit 151 and the firstcommunication processing unit 153. - Specific operations of the
information obtaining unit 151 and the firstcommunication processing unit 153 will be described later. - The
information obtaining unit 151 and the firstcommunication processing unit 153 may be implemented with a base band (BB) processor, another processor and/or the like. Theinformation obtaining unit 151 and the firstcommunication processing unit 153 may be implemented with the same processor or with respective different processors. - The
base station 100 may include a memory that stores a program and one or more processors that are capable of executing the program, and the one or more processors may execute the operations of theinformation obtaining unit 151 and the firstcommunication processing unit 153. The program may be a program for causing a processor to execute the operations of theinformation obtaining unit 151 and the firstcommunication processing unit 153. - Firstly, an example of a configuration of the
security gateway 200 according to the second example embodiment is described with reference toFigure 15. Figure 15 is a block diagram illustrating an example of a schematic configuration of thesecurity gateway 200 according to the second example embodiment. Referring toFigure 15 , thesecurity gateway 200 includes a firstcommunication processing unit 241 and a secondcommunication processing unit 243. - Specific operations of the first
communication processing unit 241 and the secondcommunication processing unit 243 will be described later. - The first
communication processing unit 241 and the secondcommunication processing unit 243 may be implemented with a processor and/or the like. The firstcommunication processing unit 241 and the secondcommunication processing unit 243 may be implemented with the same processor or with respective different processors. - The
security gateway 200 may include a memory that stores a program and one or more processors that are capable of executing the program, and the one or more processors may execute the operations of the firstcommunication processing unit 241 and the secondcommunication processing unit 243. The program may be a program for causing a processor to execute the operations of the firstcommunication processing unit 241 and the secondcommunication processing unit 243. - Firstly, an example of a configuration of the
terminal apparatus 400 according to the second example embodiment is described with reference toFigure 16. Figure 16 is a block diagram illustrating an example of a schematic configuration of theterminal apparatus 400 according to the second example embodiment. Referring toFigure 16 , theterminal apparatus 400 includes aninformation obtaining unit 451 and the firstcommunication processing unit 453. - Specific operations of the
information obtaining unit 451 and the firstcommunication processing unit 453 will be described later. - The
information obtaining unit 451 and the firstcommunication processing unit 453 may be implemented with a base band (BB) processor, another processor and/or the like. Theinformation obtaining unit 451 and the firstcommunication processing unit 453 may be implemented with the same processor or with respective different processors. - The
terminal apparatus 400 may include a memory that stores a program and one or more processors that are capable of executing the program, and the one or more processors may execute the operations of theinformation obtaining unit 451 and the firstcommunication processing unit 453. The program may be a program for causing a processor to execute the operations of theinformation obtaining unit 451 and the firstcommunication processing unit 453. - Firstly, an example of a configuration of the first
core network node 600 according to the second example embodiment is described with reference toFigure 17. Figure 17 is a block diagram illustrating an example of a schematic configuration of the firstcore network node 600 according to the second example embodiment. Referring toFigure 17 , the firstcore network node 600 includes aninformation obtaining unit 641 and acommunication processing unit 643. - Specific operations of the
information obtaining unit 641 and thecommunication processing unit 643 will be described later. - The
information obtaining unit 641 and thecommunication processing unit 643 may be implemented with a processor and/or the like. Theinformation obtaining unit 641 and thecommunication processing unit 643 may be implemented with the same processor or with respective different processors. - The first
core network node 600 may include a memory that stores a program and one or more processors that are capable of executing the program, and the one or more processors may execute the operations of theinformation obtaining unit 641 and thecommunication processing unit 643. The program may be a program for causing a processor to execute the operations of theinformation obtaining unit 641 and thecommunication processing unit 643. - Next, technical features of the second example embodiment are described.
- The terminal apparatus 400 (the information obtaining unit 451) obtains capability information related to capability of the
terminal apparatus 400. Then the terminal apparatus 400 (the first communication processing unit 453) transmits the capability information to a mobile communication network. - For example, the first core network node 600 (the information obtaining unit 641) obtains the capability information. Then, the first core network node 600 (the communication processing unit 643) transmits the capability information to the
base station 100. - The base station 100 (the information obtaining unit 151) obtains scheme information indicating an authentication scheme and/or an encryption scheme to be used for communication between the
terminal apparatus 400 and thesecurity gateway 200. Then, the base station 100 (the first communication processing unit 153) transmits the scheme information to thesecurity gateway 200. The security gateway 200 (the first communication processing unit 241) receives the scheme information from thebase station 100. - The security gateway 200 (the second communication processing unit 243) performs mutual authentication and/or encryption for communication with the
terminal apparatus 400 via a WLAN (the WLAN-AP 300) based on the scheme information. - Specific descriptions related to the above described operations are, for example, the same as the descriptions about these for the first example embodiment except difference of a part of references. Hence, overlapping descriptions are omitted here.
- The second example embodiment has been described above. According to the second example embodiment, for example, it is possible to ensure security of communication via a WLAN more flexibly. As a result, the security may be improved.
- While the example embodiments of the present disclosure have been described above, the present disclosure is not limited to these example embodiments. It will be understood by those skilled in the art that these example embodiments are merely examples and various modification/change can be made without departing from the scope and the spirit of the present disclosure.
- For example, the steps in any processing described herein need not be performed chronologically in the order illustrated in the corresponding sequence diagram. For example, the steps of the processing may be performed in an order different from the order illustrated as the corresponding sequence diagram or may be performed in parallel. Moreover, one or some of the steps of the processing may be deleted, or one or more steps may be added to the processing.
- In addition, an apparatus (e.g. one or more apparatuses (or units) out of a plurality of apparatuses (or units) constituting the base station, or a module for one of the plurality of apparatuses (or units)) including constituent elements of the base station described herein (e.g. the information obtaining unit, the first communication processing unit, the second communication processing unit, the third communication processing unit and/or the control unit) may be provided. An apparatus (e.g. a module for the security gateway) including constituent elements of the security gateway described herein (e.g. the first communication processing unit and/or the second communication processing unit) may be provided. An apparatus (e.g. a module for the terminal apparatus) including constituent elements of the terminal apparatus described herein (e.g. the information obtaining unit, the first communication processing unit and/or the second communication processing unit) may be provided. An apparatus (e.g. a module for the core network node) including constituent elements of the core network node described herein (e.g. the information obtaining unit and/or the communication processing unit) may be provided. Moreover, methods including processing of such constituent elements may be provided, and programs for causing processors to execute processing of such constituent elements may be provided. Furthermore, non-transitory computer readable recording media having recorded thereon the program may be provided. Of course, such apparatuses, modules, methods, programs and non-transitory computer readable recording media are also included in the present disclosure.
- Some of or all the above-described example embodiments can be described as in the following Supplementary Notes, but are not limited to the following.
- A terminal apparatus comprising:
- an information obtaining unit configured to obtain capability information related to capability of the terminal apparatus; and
- a first communication processing unit configured to transmit the capability information to a mobile communication network,
- wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for Security Architecture for Internet Protocol (IPsec) supported by the terminal apparatus.
- The terminal apparatus according to
Supplementary Note 1, wherein the information indicating the authentication scheme includes information indicating a digital signature scheme supported by the terminal apparatus. - The terminal apparatus according to Supplementary Note 2, wherein the information indicating the digital signature scheme includes at least one of information indicating whether Rivest Shamir Adleman (RSA) is supported and information indicating whether Digital Signature Algorithm (DSA) is supported.
- The terminal apparatus according to any one of
Supplementary Notes 1 to 3, wherein the information indicating the encryption scheme includes at least one of information indicating an encryption algorithm supported by the terminal apparatus and information indicating a key generation scheme supported by the terminal apparatus. - The terminal apparatus according to Supplementary Note 4, wherein the information indicating the key generation scheme includes at least one of information indicating a pseudo-random function supported by the terminal apparatus and information indicating a Diffie-Hellman (DH) group supported by the terminal apparatus.
- The terminal apparatus according to any one of
Supplementary Notes 1 to 5, wherein
the mobile communication network includes a core network node, and
the first communication processing unit is configured to transmit the capability information to the core network node. - The terminal apparatus according to any one of
Supplementary Notes 1 to 6, wherein
the mobile communication network includes a base station, and
the first communication processing unit is configured to transmit the capability information to the base station. - The terminal apparatus according to any one of
Supplementary Notes 1 to 7, wherein
the mobile communication network includes a base station,
the first communication processing unit receives, from the base station, scheme information indicating an authentication scheme or an encryption scheme to be used for communication between the terminal apparatus and a security gateway via a wireless local area network, and
the terminal apparatus further comprises a second communication processing unit configured to perform authentication or encryption for communication with the security gateway via the wireless local area network based on the scheme information. - A core network node comprising:
- an information obtaining unit configured to obtain capability information related to capability of a terminal apparatus; and
- a communication processing unit configured to transmit the capability information to a base station,
- wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- A base station comprising:
- an information obtaining unit configured to obtain scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network; and
- a first communication processing unit configured to transmit the scheme information to the security gateway.
- The base station according to
Supplementary Note 10, wherein the authentication scheme is a digital signature scheme. - The base station according to Supplementary Note 11, wherein
the information obtaining unit is configured to obtain a certificate used in the digital signature scheme, and
the first communication processing unit is configured to transmit the certificate to the security gateway. - The base station according to any one of
Supplementary Notes 10 to 12, wherein the encryption scheme is an encryption scheme for IPsec. - The base station according to any one of
Supplementary Notes 10 to 13, wherein the encryption scheme includes at least one of an encryption algorithm and a key generation scheme. - The base station according to Supplementary Note 14, wherein the key generation scheme includes at least one of a pseudo-random function and a Diffie-Hellman (DH) group.
- The base station according to any one of
Supplementary Notes 10 to 15, wherein
the information obtaining unit configured to obtain capability information related to capability of the terminal apparatus,
the capability information includes information indicating an authentication scheme or an encryption scheme supported by the terminal apparatus, and
the base station further comprises a control unit configured to select the authentication scheme or the encryption scheme to be used for the communication between the terminal apparatus and the security gateway based on the capability information. - The base station according to Supplementary Note 16, further comprising a second communication processing unit configured to receive the capability information from a core network node.
- The base station according to Supplementary Note 16, further comprising a third communication processing unit configured to receive the capability information from the terminal apparatus.
- The base station according any one of
Supplementary Notes 10 to 18, wherein the authentication scheme or the encryption scheme is a scheme per service class. - The base station according to Supplementary Note 19, wherein the service class is a quality of service class identifier (QCI) or an Internet Protocol (IP) flow.
- The base station according to any one of
Supplementary Notes 10 to 20, further comprising a third communication processing unit configured to transmit the scheme information to the terminal apparatus. - The base station according to any one of
Supplementary Notes 10 to 21, wherein
the base station is an evolved Node B (eNB),
the terminal apparatus is a user equipment (UE), and
the security gateway is a LTE WLAN RAN Level Integration using IPSec Security Gateway (LWIP-SeGW). - A security gateway comprising:
- a first communication processing unit configured to receive, from a base station, scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and the security gateway via a wireless local area network; and
- a second communication processing unit configured to perform authentication or encryption for communication with the terminal apparatus via the wireless local area network based on the scheme information.
- A method comprising:
- obtaining capability information related to capability of a terminal apparatus; and
- transmitting the capability information to a mobile communication network,
- wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- A program for causing a processor to execute:
- obtaining capability information related to capability of a terminal apparatus; and
- transmitting the capability information to a mobile communication network,
- wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- A non-transitory computer readable recording medium having recorded thereon a program for causing a processor to execute:
- obtaining capability information related to capability of a terminal apparatus; and
- transmitting the capability information to a mobile communication network,
- wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- An apparatus comprising:
- an information obtaining unit configured to obtain capability information related to capability of a terminal apparatus; and
- a first communication processing unit configured to transmit the capability information to a mobile communication network,
- wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for Security Architecture for Internet Protocol (IPsec) supported by the terminal apparatus.
- An apparatus comprising:
- a memory storing a program; and
- one or more processors capable of executing the program,
- wherein the program is a program for causing a processor to execute:
- obtaining capability information related to capability of a terminal apparatus; and
- transmitting the capability information to a mobile communication network,
- wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- An apparatus comprising:
- a memory; and
- one or more processors,
- wherein the one or more processors are configured to:
- obtain capability information related to capability of a terminal apparatus; and
- transmit the capability information to a mobile communication network,
- wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- The apparatus according to any one of Supplementary Notes 27 to 29, wherein the apparatus is the terminal apparatus or a module for the terminal apparatus.
- A method comprising:
- obtaining capability information related to capability of a terminal apparatus; and
- transmitting the capability information to a base station,
- wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- A program for causing a processor to execute:
- obtaining capability information related to capability of a terminal apparatus; and
- transmitting the capability information to a base station,
- wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- A non-transitory computer readable recording medium having recorded thereon a program for causing a processor to execute:
- obtaining capability information related to capability of a terminal apparatus; and
- transmitting the capability information to a base station,
- wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- An apparatus comprising:
- an information obtaining unit configured to obtain capability information related to capability of a terminal apparatus; and
- a communication processing unit configured to transmit the capability information to a base station,
- wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- An apparatus comprising:
- a memory storing a program; and
- one or more processors capable of executing the program,
- wherein the program is a program for causing a processor to execute:
- obtaining capability information related to capability of a terminal apparatus; and
- transmitting the capability information to a base station,
- wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- An apparatus comprising:
- a memory; and
- one or more processors,
- wherein the one or more processors are configured to:
- obtain capability information related to capability of a terminal apparatus; and
- transmit the capability information to a base station,
- wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- The apparatus according to any one of Supplementary Notes 34 to 36, wherein the apparatus is a core network node or a module for a core network node.
- A method comprising:
- obtaining scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network; and
- transmitting the scheme information to the security gateway.
- A program for causing a processor to execute:
- obtaining scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network; and
- transmitting the scheme information to the security gateway.
- A non-transitory computer readable recording medium having recorded thereon a program for causing a processor to execute:
- obtaining scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network; and
- transmitting the scheme information to the security gateway.
- An apparatus comprising:
- an information obtaining unit configured to obtain scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network; and
- a first communication processing unit configured to transmit the scheme information to the security gateway.
- An apparatus comprising:
- a memory storing a program; and
- one or more processors capable of executing the program,
- wherein the program is a program for causing a processor to execute:
- obtaining scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network; and
- transmitting the scheme information to the security gateway.
- An apparatus comprising:
- a memory; and
- one or more processors,
- wherein the one or more processors are configured to:
- obtain scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network; and
- transmit the scheme information to the security gateway.
- The apparatus according to any one of Supplementary Notes 41 to 43, wherein the apparatus is a base station, one or more apparatuses out of a plurality of apparatuses constituting a base station, or a module of one of the plurality of apparatuses.
- A method comprising:
- receiving, from a base station, scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network; and
- performing authentication or encryption for communication with the terminal apparatus via the wireless local area network based on the scheme information.
- A program for causing a processor to execute:
- receiving, from a base station, scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network; and
- performing authentication or encryption for communication with the terminal apparatus via the wireless local area network based on the scheme information.
- A non-transitory computer readable recording medium having recorded thereon a program for causing a processor to execute:
- receiving, from a base station, scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network; and
- performing authentication or encryption for communication with the terminal apparatus via the wireless local area network based on the scheme information.
- An apparatus comprising:
- a first communication processing unit configured to receive, from a base station, scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network; and
- a second communication processing unit configured to perform authentication or encryption for communication with the terminal apparatus via the wireless local area network based on the scheme information.
- An apparatus comprising:
- a memory storing a program; and
- one or more processors capable of executing the program,
- wherein the program is a program for causing a processor to execute:
- receiving, from a base station, scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network; and
- performing authentication or encryption for communication with the terminal apparatus via the wireless local area network based on the scheme information.
- An apparatus comprising:
- a memory; and
- one or more processors,
- wherein the one or more processors are configured to:
- receive, from a base station, scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network; and
- perform authentication or encryption for communication with the terminal apparatus via the wireless local area network based on the scheme information.
- The apparatus according to any one of Supplementary Notes 48 to 50, wherein the apparatus is the security gateway or a module for the security gateway.
- This application claims priority based on Japanese Patent Application No.
2016-215220 filed on November 2, 2016 - In a mobile communication system, it is possible to ensure security of communication via a WLAN more flexibly.
-
- 1
- System
- 100
- Base Station
- 141, 151
- Information Obtaining Unit
- 143, 153
- First Communication Processing Unit
- 145
- Second Communication Processing Unit
- 147
- Third Communication Processing Unit
- 149
- Control Unit
- 200
- Security Gateway
- 231, 241
- First Communication Processing Unit
- 233, 243
- Second Communication Processing Unit
- 300
- Wireless Local Area Network Access Point (WLAN-AP)
- 400
- Terminal Apparatus
- 441, 451
- Information Obtaining Unit
- 443, 453
- First Communication Processing Unit
- 445
- Second Communication Processing Unit
- 500
- Core Network
- 600
- First Core Network Node
- 631, 641
- Information Obtaining Unit
- 633, 643
- Communication Processing Unit
- 700
- Second Core Network Node
Claims (51)
- A terminal apparatus comprising:an information obtaining unit configured to obtain capability information related to capability of the terminal apparatus; anda first communication processing unit configured to transmit the capability information to a mobile communication network,wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for Security Architecture for Internet Protocol (IPsec) supported by the terminal apparatus.
- The terminal apparatus according to claim 1, wherein the information indicating the authentication scheme includes information indicating a digital signature scheme supported by the terminal apparatus.
- The terminal apparatus according to claim 2, wherein the information indicating the digital signature scheme includes at least one of information indicating whether Rivest Shamir Adleman (RSA) is supported and information indicating whether Digital Signature Algorithm (DSA) is supported.
- The terminal apparatus according to any one of claims 1 to 3, wherein the information indicating the encryption scheme includes at least one of information indicating an encryption algorithm supported by the terminal apparatus and information indicating a key generation scheme supported by the terminal apparatus.
- The terminal apparatus according to claim 4, wherein the information indicating the key generation scheme includes at least one of information indicating a pseudo-random function supported by the terminal apparatus and information indicating a Diffie-Hellman (DH) group supported by the terminal apparatus.
- The terminal apparatus according to any one of claims 1 to 5, whereinthe mobile communication network includes a core network node, andthe first communication processing unit is configured to transmit the capability information to the core network node.
- The terminal apparatus according to any one of claims 1 to 6, whereinthe mobile communication network includes a base station, andthe first communication processing unit is configured to transmit the capability information to the base station.
- The terminal apparatus according to any one of claims 1 to 7, whereinthe mobile communication network includes a base station,the first communication processing unit receives, from the base station, scheme information indicating an authentication scheme or an encryption scheme to be used for communication between the terminal apparatus and a security gateway via a wireless local area network, andthe terminal apparatus further comprises a second communication processing unit configured to perform authentication or encryption for communication with the security gateway via the wireless local area network based on the scheme information.
- A core network node comprising:an information obtaining unit configured to obtain capability information related to capability of a terminal apparatus; anda communication processing unit configured to transmit the capability information to a base station,wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- A base station comprising:an information obtaining unit configured to obtain scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network; anda first communication processing unit configured to transmit the scheme information to the security gateway.
- The base station according to claim 10, wherein the authentication scheme is a digital signature scheme.
- The base station according to claim 11, whereinthe information obtaining unit is configured to obtain a certificate used in the digital signature scheme, andthe first communication processing unit is configured to transmit the certificate to the security gateway.
- The base station according to any one of claims 10 to 12, wherein the encryption scheme is an encryption scheme for IPsec.
- The base station according to any one of claims 10 to 13, wherein the encryption scheme includes at least one of an encryption algorithm and a key generation scheme.
- The base station according to claim 14, wherein the key generation scheme includes at least one of a pseudo-random function and a Diffie-Hellman (DH) group.
- The base station according to any one of claims 10 to 15, whereinthe information obtaining unit configured to obtain capability information related to capability of the terminal apparatus,the capability information includes information indicating an authentication scheme or an encryption scheme supported by the terminal apparatus, andthe base station further comprises a control unit configured to select the authentication scheme or the encryption scheme to be used for the communication between the terminal apparatus and the security gateway based on the capability information.
- The base station according to claim 16, further comprising a second communication processing unit configured to receive the capability information from a core network node.
- The base station according to claim 16, further comprising a third communication processing unit configured to receive the capability information from the terminal apparatus.
- The base station according any one of claims 10 to 18, wherein the authentication scheme or the encryption scheme is a scheme per service class.
- The base station according to claim 19, wherein the service class is a quality of service class identifier (QCI) or an Internet Protocol (IP) flow.
- The base station according to any one of claims 10 to 20, further comprising a third communication processing unit configured to transmit the scheme information to the terminal apparatus.
- The base station according to any one of claims 10 to 21, whereinthe base station is an evolved Node B (eNB),the terminal apparatus is a user equipment (UE), andthe security gateway is a LTE WLAN RAN Level Integration using IPSec Security Gateway (LWIP-SeGW).
- A security gateway comprising:a first communication processing unit configured to receive, from a base station, scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and the security gateway via a wireless local area network; anda second communication processing unit configured to perform authentication or encryption for communication with the terminal apparatus via the wireless local area network based on the scheme information.
- A method comprising:obtaining capability information related to capability of a terminal apparatus; andtransmitting the capability information to a mobile communication network,wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- A program for causing a processor to execute:obtaining capability information related to capability of a terminal apparatus; andtransmitting the capability information to a mobile communication network,wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- A non-transitory computer readable recording medium having recorded thereon a program for causing a processor to execute:obtaining capability information related to capability of a terminal apparatus; andtransmitting the capability information to a mobile communication network,wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- An apparatus comprising:an information obtaining unit configured to obtain capability information related to capability of a terminal apparatus; anda first communication processing unit configured to transmit the capability information to a mobile communication network,wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for Security Architecture for Internet Protocol (IPsec) supported by the terminal apparatus.
- An apparatus comprising:a memory storing a program; andone or more processors capable of executing the program,wherein the program is a program for causing a processor to execute:obtaining capability information related to capability of a terminal apparatus; andtransmitting the capability information to a mobile communication network,wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- An apparatus comprising:a memory; andone or more processors,wherein the one or more processors are configured to:obtain capability information related to capability of a terminal apparatus; andtransmit the capability information to a mobile communication network,wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- The apparatus according to any one of claims 27 to 29, wherein the apparatus is the terminal apparatus or a module for the terminal apparatus.
- A method comprising:obtaining capability information related to capability of a terminal apparatus; andtransmitting the capability information to a base station,wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- A program for causing a processor to execute:obtaining capability information related to capability of a terminal apparatus; andtransmitting the capability information to a base station,wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- A non-transitory computer readable recording medium having recorded thereon a program for causing a processor to execute:obtaining capability information related to capability of a terminal apparatus; andtransmitting the capability information to a base station,wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- An apparatus comprising:an information obtaining unit configured to obtain capability information related to capability of a terminal apparatus; anda communication processing unit configured to transmit the capability information to a base station,wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- An apparatus comprising:a memory storing a program; andone or more processors capable of executing the program,wherein the program is a program for causing a processor to execute:obtaining capability information related to capability of a terminal apparatus; andtransmitting the capability information to a base station,wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- An apparatus comprising:a memory; andone or more processors,wherein the one or more processors are configured to:obtain capability information related to capability of a terminal apparatus; andtransmit the capability information to a base station,wherein the capability information includes information indicating an authentication scheme supported by the terminal apparatus, or information indicating an encryption scheme for IPsec supported by the terminal apparatus.
- The apparatus according to any one of claims 34 to 36, wherein the apparatus is a core network node or a module for a core network node.
- A method comprising:obtaining scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network; andtransmitting the scheme information to the security gateway.
- A program for causing a processor to execute:obtaining scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network; andtransmitting the scheme information to the security gateway.
- A non-transitory computer readable recording medium having recorded thereon a program for causing a processor to execute:obtaining scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network; andtransmitting the scheme information to the security gateway.
- An apparatus comprising:an information obtaining unit configured to obtain scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network; anda first communication processing unit configured to transmit the scheme information to the security gateway.
- An apparatus comprising:a memory storing a program; andone or more processors capable of executing the program,wherein the program is a program for causing a processor to execute:obtaining scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network; andtransmitting the scheme information to the security gateway.
- An apparatus comprising:a memory; andone or more processors,wherein the one or more processors are configured to:obtain scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network; andtransmit the scheme information to the security gateway.
- The apparatus according to any one of claims 41 to 43, wherein the apparatus is a base station, one or more apparatuses out of a plurality of apparatuses constituting a base station, or a module of one of the plurality of apparatuses.
- A method comprising:receiving, from a base station, scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network; andperforming authentication or encryption for communication with the terminal apparatus via the wireless local area network based on the scheme information.
- A program for causing a processor to execute:receiving, from a base station, scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network; andperforming authentication or encryption for communication with the terminal apparatus via the wireless local area network based on the scheme information.
- A non-transitory computer readable recording medium having recorded thereon a program for causing a processor to execute:receiving, from a base station, scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network; andperforming authentication or encryption for communication with the terminal apparatus via the wireless local area network based on the scheme information.
- An apparatus comprising:a first communication processing unit configured to receive, from a base station, scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network; anda second communication processing unit configured to perform authentication or encryption for communication with the terminal apparatus via the wireless local area network based on the scheme information.
- An apparatus comprising:a memory storing a program; andone or more processors capable of executing the program,wherein the program is a program for causing a processor to execute:receiving, from a base station, scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network; andperforming authentication or encryption for communication with the terminal apparatus via the wireless local area network based on the scheme information.
- An apparatus comprising:a memory; andone or more processors,wherein the one or more processors are configured to:receive, from a base station, scheme information indicating an authentication scheme or an encryption scheme to be used for communication between a terminal apparatus and a security gateway via a wireless local area network; andperform authentication or encryption for communication with the terminal apparatus via the wireless local area network based on the scheme information.
- The apparatus according to any one of claims 48 to 50, wherein the apparatus is the security gateway or a module for the security gateway.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2016215220 | 2016-11-02 | ||
PCT/JP2017/038902 WO2018084081A1 (en) | 2016-11-02 | 2017-10-27 | Terminal device, core network node, base station, security gateway, device, method, program, and recording medium |
Publications (2)
Publication Number | Publication Date |
---|---|
EP3537743A1 true EP3537743A1 (en) | 2019-09-11 |
EP3537743A4 EP3537743A4 (en) | 2019-10-30 |
Family
ID=62075650
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP17866905.7A Pending EP3537743A4 (en) | 2016-11-02 | 2017-10-27 | Terminal device, core network node, base station, security gateway, device, method, program, and recording medium |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP3537743A4 (en) |
JP (2) | JP6680363B2 (en) |
WO (1) | WO2018084081A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113455024A (en) * | 2020-05-29 | 2021-09-28 | 华为技术有限公司 | Key acquisition method and related device |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7054291B2 (en) * | 2001-01-22 | 2006-05-30 | Telefonaktiebolaget Lm Ericsson (Publ) | Method of and system for mobile station abbreviated point-to-point protocol negotiation |
US8127136B2 (en) * | 2004-08-25 | 2012-02-28 | Samsung Electronics Co., Ltd | Method for security association negotiation with extensible authentication protocol in wireless portable internet system |
TWI543644B (en) * | 2006-12-27 | 2016-07-21 | 無線創新信號信託公司 | Method and apparatus for base station self-configuration |
US8842546B2 (en) * | 2010-07-22 | 2014-09-23 | Mediatek Inc. | Method for wireless communication in a device with co-existence radio |
JP2014022847A (en) * | 2012-07-13 | 2014-02-03 | Sumitomo Electric Ind Ltd | Radio base station device, radio terminal device, radio communication device, communication control method, and communication control program |
US9516065B2 (en) * | 2014-12-23 | 2016-12-06 | Freescale Semiconductor, Inc. | Secure communication device and method |
-
2017
- 2017-10-27 JP JP2018548978A patent/JP6680363B2/en active Active
- 2017-10-27 EP EP17866905.7A patent/EP3537743A4/en active Pending
- 2017-10-27 WO PCT/JP2017/038902 patent/WO2018084081A1/en unknown
-
2020
- 2020-03-19 JP JP2020048598A patent/JP6874878B2/en active Active
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113455024A (en) * | 2020-05-29 | 2021-09-28 | 华为技术有限公司 | Key acquisition method and related device |
CN113455024B (en) * | 2020-05-29 | 2023-01-13 | 华为技术有限公司 | Key acquisition method and related device |
Also Published As
Publication number | Publication date |
---|---|
JP6874878B2 (en) | 2021-05-19 |
JPWO2018084081A1 (en) | 2019-07-11 |
EP3537743A4 (en) | 2019-10-30 |
JP6680363B2 (en) | 2020-04-15 |
WO2018084081A1 (en) | 2018-05-11 |
JP2020096386A (en) | 2020-06-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3726908B1 (en) | Radio access network node, radio terminal, and methods and non-transitory computer-readable media therefor | |
EP3286946B1 (en) | Network slice selection | |
CN108464047B (en) | Wireless station system, wireless terminal and method thereof | |
EP3634015B1 (en) | Radio station system, radio terminal, and methods therein | |
CN105850169B (en) | Apparatus, system and method for secure communication of User Equipment (UE) in wireless local area network | |
EP3451722B1 (en) | Key derivation when network slicing is applied | |
KR101834685B1 (en) | Apparatus, system and method of securing communications of a user equipment (ue) in a wireless local area network | |
EP4325735A2 (en) | Apparatus, method, system, program, and recording medium related to beamforming | |
CN109246696B (en) | Key processing method and related device | |
EP3068167A1 (en) | Communication control method, relay terminal apparatus, terminal apparatus, base station apparatus, control apparatus, server apparatus, and mobile communication system | |
EP3952393A1 (en) | Communication apparatus, base station apparatus, communication method, and control method of base station apparatus | |
EP4362519A2 (en) | Communication terminal, network device, communication method, and de-concealment method | |
EP3567965A1 (en) | Terminal device, base station device, method and recording medium | |
EP3567891A1 (en) | Base station, terminal device, method, program, and recording medium | |
US11503503B2 (en) | Adding framing protocol header to downlink data | |
EP3537743A1 (en) | Terminal device, core network node, base station, security gateway, device, method, program, and recording medium | |
EP3537846B1 (en) | Base station, gateway, apparatus, method, program, and recording medium | |
CN113873492A (en) | Communication method and related device | |
EP4247079A1 (en) | Base station and user device | |
WO2023113660A1 (en) | Methods, network node, user equipment, computer programs and carriers for handling a connection procedure |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE |
|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
|
17P | Request for examination filed |
Effective date: 20190412 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
AX | Request for extension of the european patent |
Extension state: BA ME |
|
A4 | Supplementary search report drawn up and despatched |
Effective date: 20190927 |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: H04W 12/06 20090101ALI20190923BHEP Ipc: H04W 88/06 20090101ALI20190923BHEP Ipc: H04L 29/06 20060101ALN20190923BHEP Ipc: H04W 12/00 20090101ALI20190923BHEP Ipc: H04W 8/22 20090101AFI20190923BHEP Ipc: H04W 72/04 20090101ALI20190923BHEP Ipc: H04W 12/08 20090101ALI20190923BHEP Ipc: H04W 84/12 20090101ALI20190923BHEP |
|
DAV | Request for validation of the european patent (deleted) | ||
DAX | Request for extension of the european patent (deleted) | ||
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: EXAMINATION IS IN PROGRESS |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: EXAMINATION IS IN PROGRESS |
|
17Q | First examination report despatched |
Effective date: 20201123 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: EXAMINATION IS IN PROGRESS |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: H04L 29/06 20060101ALN20210910BHEP Ipc: H04W 12/069 20210101ALI20210910BHEP Ipc: H04W 12/033 20210101ALI20210910BHEP Ipc: H04W 12/37 20210101ALI20210910BHEP Ipc: H04W 88/06 20090101ALI20210910BHEP Ipc: H04W 84/12 20090101ALI20210910BHEP Ipc: H04W 72/04 20090101ALI20210910BHEP Ipc: H04W 12/08 20210101ALI20210910BHEP Ipc: H04W 12/06 20210101ALI20210910BHEP Ipc: H04W 8/22 20090101AFI20210910BHEP |